Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Probable AdFind Recon Tool Usage (Normalized Process Events)

Back
Id45076281-35ae-45e0-b443-c32aa0baf965
RulenameProbable AdFind Recon Tool Usage (Normalized Process Events)
DescriptionIdentifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.

To use this analytics rule, make sure you have deployed the ASIM normalization parsers
SeverityHigh
TacticsDiscovery
TechniquesT1018
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_AdFind_Usage.yaml
Version1.1.3
Arm template45076281-35ae-45e0-b443-c32aa0baf965.json
Deploy To Azure
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
imProcessCreate
//looks for execution from a shell
| where ActingProcessName has_any (parentProcesses)
| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
| where ActingProcessFileName in~ (parentProcesses)
// main filter
| where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
    // AdFind common Flags to check for from various threat actor TTPs
    or CommandLine has_any (args)
| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = TargetProcessSHA256
tags:
- version: 1.0.0
  Id: c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd
- Schema: ASIMProcessEvent
  SchemaVersion: 0.1.0
queryPeriod: 1h
version: 1.1.3
relevantTechniques:
- T1018
queryFrequency: 1h
kind: Scheduled
name: Probable AdFind Recon Tool Usage (Normalized Process Events)
id: 45076281-35ae-45e0-b443-c32aa0baf965
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: ProcessCustomEntity
    identifier: ProcessId
  - columnName: CommandLineCustomEntity
    identifier: CommandLine
  entityType: Process
- fieldMappings:
  - columnName: AlgorithmCustomEntity
    identifier: Algorithm
  - columnName: FileHashCustomEntity
    identifier: Value
  entityType: FileHash
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_AdFind_Usage.yaml
severity: High
query: |
  let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
  let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
  imProcessCreate
  //looks for execution from a shell
  | where ActingProcessName has_any (parentProcesses)
  | extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
  | where ActingProcessFileName in~ (parentProcesses)
  // main filter
  | where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
      // AdFind common Flags to check for from various threat actor TTPs
      or CommandLine has_any (args)
  | extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = TargetProcessSHA256  
tactics:
- Discovery
description: |
  'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'  
requiredDataConnectors: []
metadata:
  author:
    name: Yuval Naor
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Intelligence
  support:
    tier: Community
triggerThreshold: 0
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/45076281-35ae-45e0-b443-c32aa0baf965')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/45076281-35ae-45e0-b443-c32aa0baf965')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Probable AdFind Recon Tool Usage (Normalized Process Events)",
        "description": "'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'\n",
        "severity": "High",
        "enabled": true,
        "query": "let args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nimProcessCreate\n//looks for execution from a shell\n| where ActingProcessName has_any (parentProcesses)\n| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\\\')[-1])\n| where ActingProcessFileName in~ (parentProcesses)\n// main filter\n| where Process hassuffix \"AdFind.exe\" or TargetProcessSHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n    // AdFind common Flags to check for from various threat actor TTPs\n    or CommandLine has_any (args)\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = TargetProcessSHA256\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1018"
        ],
        "alertRuleTemplateName": "45076281-35ae-45e0-b443-c32aa0baf965",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "HostCustomEntity"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "ProcessId",
                "columnName": "ProcessCustomEntity"
              },
              {
                "identifier": "CommandLine",
                "columnName": "CommandLineCustomEntity"
              }
            ],
            "entityType": "Process"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Algorithm",
                "columnName": "AlgorithmCustomEntity"
              },
              {
                "identifier": "Value",
                "columnName": "FileHashCustomEntity"
              }
            ],
            "entityType": "FileHash"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_AdFind_Usage.yaml",
        "templateVersion": "1.1.3",
        "tags": [
          {
            "version": "1.0.0",
            "Id": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd"
          },
          {
            "Schema": "ASIMProcessEvent",
            "SchemaVersion": "0.1.0"
          }
        ]
      }
    }
  ]
}