49 lines
1.3 KiB
YAML
49 lines
1.3 KiB
YAML
|
|
title: AdFind Usage Detection
|
|
ruletype: Sigma
|
|
author: Janantha Marasinghe (https://github.com/blueteam0ps)
|
|
date: 2021/02/02
|
|
description: AdFind continues to be seen across majority of breaches. It is used to
|
|
domain trust discovery to plan out subsequent steps in the attack chain.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
CommandLine:
|
|
- '*domainlist*'
|
|
- '*trustdmp*'
|
|
- '*dcmodes*'
|
|
- '*adinfo*'
|
|
- '* dclist *'
|
|
- '*computer_pwdnotreqd*'
|
|
- '*objectcategory=*'
|
|
- '*-subnets -f*'
|
|
- '*name="Domain Admins"*'
|
|
- '*-sc u:*'
|
|
- '*domainncs*'
|
|
- '*dompol*'
|
|
- '* oudmp *'
|
|
- '*subnetdmp*'
|
|
- '*gpodmp*'
|
|
- '*fspdmp*'
|
|
- '*users_noexpire*'
|
|
- '*computers_active*'
|
|
condition: (SELECTION_1 and SELECTION_2)
|
|
falsepositives:
|
|
- Admin activity
|
|
id: 9a132afa-654e-11eb-ae93-0242ac130002
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/02/02
|
|
references:
|
|
- https://thedfirreport.com/2020/05/08/adfind-recon/
|
|
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
|
|
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
|
|
status: experimental
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1482
|
|
- attack.t1018
|