Windows AdFind Exe

Try in Splunk Security Cloud

Description

This search looks for the execution of adfind.exe with command-line arguments that it uses by default. Specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. This has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. AdFind.exe is usually used a recon tool to enumare a domain controller.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2021-11-03
• Author: Jose Hernandez, Bhavin Patel, Splunk
• ID: bd3b0187-189b-46c0-be45-f52da2bae67f

ATT&CK

ID	Technique	Tactic
T1018	Remote System Discovery	Discovery

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* -f *" OR Processes.process="* -b *") AND (Processes.process=*objectcategory* OR Processes.process="* -gcb *" OR Processes.process="* -sc *") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_adfind_exe_filter`

Associated Analytic Story

• NOBELIUM Group
• Domain Trust Discovery

How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

• _time
• Processes.process
• Processes.dest
• Processes.user
• Processes.process_name
• Processes.parent_process
• Processes.process_id
• Processes.parent_process_id

Kill Chain Phase

• Exploitation

Known False Positives

administrators rarely use adfind, usually not used for legitimate reasons

Reference

• https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
• https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log

source | version: 2