Probable AdFind Recon Tool Usage
| Id | c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd |
| Rulename | Probable AdFind Recon Tool Usage |
| Description | This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase. |
| Severity | High |
| Tactics | Discovery |
| Techniques | T1016 T1018 T1069.002 T1087.002 T1482 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker Tools Threat Protection Essentials/Analytic Rules/AdFind_Usage.yaml |
| Version | 1.0.3 |
| Arm template | c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd.json |
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
DeviceProcessEvents
//looks for execution from a shell
| where InitiatingProcessFileName in~ (parentProcesses)
// main filter
| where FileName =~ "AdFind.exe" or SHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
// AdFind common Flags to check for from various threat actor TTPs
or ProcessCommandLine has_any (args)
| extend HostName = split(DeviceName, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'), FileHashAlgorithm = "SHA256"
queryPeriod: 1h
query: |
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
DeviceProcessEvents
//looks for execution from a shell
| where InitiatingProcessFileName in~ (parentProcesses)
// main filter
| where FileName =~ "AdFind.exe" or SHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
// AdFind common Flags to check for from various threat actor TTPs
or ProcessCommandLine has_any (args)
| extend HostName = split(DeviceName, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'), FileHashAlgorithm = "SHA256"
name: Probable AdFind Recon Tool Usage
entityMappings:
- fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: AccountDomain
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
entityType: Host
- fieldMappings:
- columnName: InitiatingProcessFileName
identifier: ProcessId
- columnName: ProcessCommandLine
identifier: CommandLine
entityType: Process
- fieldMappings:
- columnName: FileHashAlgorithm
identifier: Algorithm
- columnName: SHA256
identifier: Value
entityType: FileHash
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker Tools Threat Protection Essentials/Analytic Rules/AdFind_Usage.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
description: |
'This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.'
kind: Scheduled
version: 1.0.3
status: Available
severity: High
relevantTechniques:
- T1016
- T1018
- T1069.002
- T1087.002
- T1482
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
id: c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd