Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Probable AdFind Recon Tool Usage (Normalized Process Events)

Back
Id45076281-35ae-45e0-b443-c32aa0baf965
RulenameProbable AdFind Recon Tool Usage (Normalized Process Events)
DescriptionIdentifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.

To use this analytics rule, make sure you have deployed the ASIM normalization parsers
SeverityHigh
TacticsDiscovery
TechniquesT1018
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_AdFind_Usage.yaml
Version1.1.3
Arm template45076281-35ae-45e0-b443-c32aa0baf965.json
Deploy To Azure
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
imProcessCreate
//looks for execution from a shell
| where ActingProcessName has_any (parentProcesses)
| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
| where ActingProcessFileName in~ (parentProcesses)
// main filter
| where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
    // AdFind common Flags to check for from various threat actor TTPs
    or CommandLine has_any (args)
| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = TargetProcessSHA256
kind: Scheduled
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Threat Intelligence
  source:
    kind: Community
  author:
    name: Yuval Naor
severity: High
tags:
- version: 1.0.0
  Id: c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd
- SchemaVersion: 0.1.0
  Schema: ASIMProcessEvent
name: Probable AdFind Recon Tool Usage (Normalized Process Events)
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: Process
  fieldMappings:
  - columnName: ProcessCustomEntity
    identifier: ProcessId
  - columnName: CommandLineCustomEntity
    identifier: CommandLine
- entityType: FileHash
  fieldMappings:
  - columnName: AlgorithmCustomEntity
    identifier: Algorithm
  - columnName: FileHashCustomEntity
    identifier: Value
relevantTechniques:
- T1018
queryFrequency: 1h
triggerThreshold: 0
queryPeriod: 1h
description: |
  'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'  
id: 45076281-35ae-45e0-b443-c32aa0baf965
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_AdFind_Usage.yaml
version: 1.1.3
tactics:
- Discovery
query: |
  let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
  let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
  imProcessCreate
  //looks for execution from a shell
  | where ActingProcessName has_any (parentProcesses)
  | extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
  | where ActingProcessFileName in~ (parentProcesses)
  // main filter
  | where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
      // AdFind common Flags to check for from various threat actor TTPs
      or CommandLine has_any (args)
  | extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = TargetProcessSHA256  
requiredDataConnectors: []
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/45076281-35ae-45e0-b443-c32aa0baf965')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/45076281-35ae-45e0-b443-c32aa0baf965')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Probable AdFind Recon Tool Usage (Normalized Process Events)",
        "description": "'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'\n",
        "severity": "High",
        "enabled": true,
        "query": "let args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nimProcessCreate\n//looks for execution from a shell\n| where ActingProcessName has_any (parentProcesses)\n| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\\\')[-1])\n| where ActingProcessFileName in~ (parentProcesses)\n// main filter\n| where Process hassuffix \"AdFind.exe\" or TargetProcessSHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n    // AdFind common Flags to check for from various threat actor TTPs\n    or CommandLine has_any (args)\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = TargetProcessSHA256\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1018"
        ],
        "alertRuleTemplateName": "45076281-35ae-45e0-b443-c32aa0baf965",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "identifier": "ProcessId",
                "columnName": "ProcessCustomEntity"
              },
              {
                "identifier": "CommandLine",
                "columnName": "CommandLineCustomEntity"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "identifier": "Algorithm",
                "columnName": "AlgorithmCustomEntity"
              },
              {
                "identifier": "Value",
                "columnName": "FileHashCustomEntity"
              }
            ]
          }
        ],
        "templateVersion": "1.1.3",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_AdFind_Usage.yaml",
        "tags": [
          {
            "Id": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMProcessEvent",
            "SchemaVersion": "0.1.0"
          }
        ]
      }
    }
  ]
}