AdFind reconnaissance activity is detected through the execution of the AdFind tool, which adversaries use to gather detailed information about Active Directory environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or privilege escalation attempts early.
KQL Query
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
imProcessCreate
//looks for execution from a shell
| where ActingProcessName has_any (parentProcesses)
| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
| where ActingProcessFileName in~ (parentProcesses)
// main filter
| where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
// AdFind common Flags to check for from various threat actor TTPs
or CommandLine has_any (args)
| extend AlgorithmType = "SHA256"
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
id: 45076281-35ae-45e0-b443-c32aa0baf965
name: Probable AdFind Recon Tool Usage (Normalized Process Events)
description: |
'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
severity: High
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T1018
tags:
- Id: c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd
version: 1.0.0
- Schema: ASIMProcessEvent
SchemaVersion: 0.1.0
query: |
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
imProcessCreate
//looks for execution from a shell
| where ActingProcessName has_any (parentProcesses)
| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1])
| where ActingProcessFileName in~ (parentProcesses)
// main filter
| where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
// AdFind common Flags to check for from various threat actor TTPs
or CommandLine has_any (args)
| extend AlgorithmType = "SHA256"
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ActingProcessName
- identifier: CommandLine
columnName: CommandLine
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: AlgorithmType
- identifier: Value
columnName: TargetProcessSHA256
version: 1.1.6
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Yuval Naor
support:
tier: Community
categories:
domains: [ "Security - Threat Intelligence" ]
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality
Scenario: Scheduled Job Running AdFind for User Account Management
Description: A legitimate scheduled job runs AdFind to retrieve user account information for auditing or reporting purposes.
Filter/Exclusion: process.parent_process_name != "schtasks" or process.command_line contains "export" or "csv"
Scenario: System Administrator Using AdFind for Active Directory Troubleshooting
Description: An admin uses AdFind to investigate Active Directory issues, such as user group membership or object attributes.
Filter/Exclusion: process.user_account != "Domain Admins" or process.command_line contains "search" or "filter"
Scenario: AdFind Used in a Security Assessment Toolchain
Description: AdFind is part of a security toolchain used for internal security assessments or penetration testing.
Filter/Exclusion: process.parent_process_name contains "PowerShell" or "msfconsole" or process.command_line contains "assessment" or "test"
Scenario: AdFind Used to Generate Reports for Compliance
Description: AdFind is used to generate compliance reports by exporting Active Directory data to CSV or other formats.
Filter/Exclusion: process.command_line contains "export" or "csv" or process.user_account contains "Compliance" or "Auditing"
Scenario: AdFind Used in a Backup or Sync Process
Description: AdFind is used as part of a backup or synchronization process to gather user or group information for replication.
Filter/Exclusion: process.parent_process_name contains "backup" or "sync" or process.command_line contains "backup" or "sync"