Detect Suspicious AdFind Execution

2024-11-07 01:45:21 +00:00 · 2020-09-26 21:34:06 +07:00 · 2020-09-26 21:34:06 +07:00 · c756fc8576
commit c756fc8576
parent 49ba107dce
1 changed files with 28 additions and 0 deletions
--- a/rules/windows/process_creation/win_susp_adfind.yml
+++ b/rules/windows/process_creation/win_susp_adfind.yml
@ -0,0 +1,28 @@
+title: Suspicious AdFind Execution
+id: 75df3b17-8bcc-4565-b89b-c9898acef911
+status: experimental
+description: Detects the execution of a AdFind for Active Directory enumeration 
+references:
+    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
+author: FPT.EagleEye Team
+date: 2020/09/26
+tags:
+    - attack.discovery
+    - attack.t1016
+    - attack.t1018
+    - attack.t1482
+    #- attack.t1069.002
+    #- attack.t1087.002
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        ProcessCommandline|contains: 'objectcategory'
+        Image: 
+            - '*\adfind.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high