Suspicious enumeration using Adfind tool (Normalized Process Events)

Hunt Hypothesis

Attackers may be using the Adfind tool to enumerate domain controllers and ADFS servers, gathering critical information to plan further lateral movement or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential reconnaissance activities and mitigate the risk of advanced persistent threats.

KQL Query

let lookupwindow = 2m;
let threshold = 3; //number of commandlines in the set below
let DCADFSServersList = dynamic (["DCServer01", "DCServer02", "ADFSServer01"]); // Enter a reference list of hostnames for your DC/ADFS servers
let tokens = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*"]);
imProcessCreate
//| where Computer in (DCADFSServersList) // Uncomment to limit it to your DC/ADFS servers list if specified above or any pattern in hostnames (startswith, matches regex, etc).
| where CommandLine has_any (tokens)
| where CommandLine contains ">"
| summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct
  | extend Count = array_length(Commandlines)
  | where Count > threshold

Analytic Rule Definition

id: 1eacb645-9354-49cd-8872-8d68a4fd3f59
name: Suspicious enumeration using Adfind tool (Normalized Process Events)
description: |
  Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system.
  Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers.
  Below references talk about suspicious use of adfind by adversaries.
  - https://thedfirreport.com/2020/05/08/adfind-recon/
  - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
  - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
tactics:
  - Execution
  - Discovery
  - Collection
relevantTechniques:
  - T1059
  - T1087
  - T1482
  - T1201
  - T1069
  - T1074
tags:
  - Solorigate
  - NOBELIUM
query: |
  let lookupwindow = 2m;
  let threshold = 3; //number of commandlines in the set below
  let DCADFSServersList = dynamic (["DCServer01", "DCServer02", "ADFSServer01"]); // Enter a reference list of hostnames for your DC/ADFS servers
  let tokens = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*"]);
  imProcessCreate
  //| where Computer in (DCADFSServersList) // Uncomment to limit it to your DC/ADFS servers list if specified above or any pattern in hostnames (startswith, matches regex, etc).
  | where CommandLine has_any (tokens)
  | where CommandLine contains ">"
  | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct
    | extend Count = array_length(Commandlines)
    | where Count > threshold

Required Data Sources

MITRE ATT&CK Context

• Tactic: Execution
• Tactic: Discovery
• Tactic: Collection
• Technique: T1059 — Command and Scripting Interpreter
• Technique: T1087 — T1087
• Technique: T1482 — T1482
• Technique: T1201 — T1201
• Technique: T1069 — T1069
• Technique: T1074 — T1074

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml)

False Positive Guidance

• Scenario: Scheduled job running Adfind for routine domain user enumeration
  Description: A legitimate scheduled job runs Adfind to gather user information for reporting or auditing purposes.
  Filter/Exclusion: Exclude processes where the command line includes adfind -b "CN=Users,DC=example,DC=com" -s subtree -t user and the process is associated with a known scheduled job (e.g., ScheduledTaskID="DomainUserReport").

• Scenario: Administrative user performing Adfind to troubleshoot Active Directory issues
  Description: A domain admin uses Adfind to investigate an AD replication issue or verify user attributes.
  Filter/Exclusion: Exclude processes where the user is a domain admin (e.g., UserSID="S-1-5-21-...-12345"), and the command line includes -s subtree -t user or -s domain.

• Scenario: Adfind used in a script for automated user provisioning
  Description: A script runs Adfind to fetch user information for automated provisioning or synchronization tasks.
  Filter/Exclusion: Exclude processes where the command line includes -b "OU=Provisioning,DC=example,DC=com" and the process is initiated by a known provisioning service (e.g., ServiceName="ProvisioningService").

• Scenario: Adfind renamed as a benign tool (e.g., “netdiag.exe”)
  Description: An attacker renames Adfind to a common tool name to avoid detection.
  Filter/Exclusion: Exclude processes where the file name is netdiag.exe but the full path includes C:\Windows\System32\adfind.exe or the process is signed by Microsoft.

• Scenario: Adfind used in a PowerShell script for AD health checks
  **