title: AdFind Usage Detection
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021/02/02
description: AdFind continues to be seen across majority of breaches. It is used to
  domain trust discovery to plan out subsequent steps in the attack chain.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '*domainlist*'
    - '*trustdmp*'
    - '*dcmodes*'
    - '*adinfo*'
    - '* dclist *'
    - '*computer_pwdnotreqd*'
    - '*objectcategory=*'
    - '*-subnets -f*'
    - '*name="Domain Admins"*'
    - '*-sc u:*'
    - '*domainncs*'
    - '*dompol*'
    - '* oudmp *'
    - '*subnetdmp*'
    - '*gpodmp*'
    - '*fspdmp*'
    - '*users_noexpire*'
    - '*computers_active*'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Admin activity
id: 9a132afa-654e-11eb-ae93-0242ac130002
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/02/02
references:
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
status: experimental
tags:
- attack.discovery
- attack.t1482
- attack.t1018
ruletype: SIGMA