Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Renamed AdFind Execution

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Renamed AdFind Execution

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Renamed AdFind Execution
id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
status: test
description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://thedfirreport.com/2020/05/08/adfind-recon/
    - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
author: Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2025-02-26
tags:
    - attack.discovery
    - attack.t1018
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains:
            - 'domainlist'
            - 'trustdmp'
            - 'dcmodes'
            - 'adinfo'
            - ' dclist '
            - 'computer_pwdnotreqd'
            - 'objectcategory='
            - '-subnets -f'
            - 'name="Domain Admins"'
            - '-sc u:'
            - 'domainncs'
            - 'dompol'
            - ' oudmp '
            - 'subnetdmp'
            - 'gpodmp'
            - 'fspdmp'
            - 'users_noexpire'
            - 'computers_active'
            - 'computers_pwdnotreqd'
    selection_2:
        Hashes|contains:
            - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
            - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
            - 'IMPHASH=d144de8117df2beceaba2201ad304764'
            - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
            - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
            - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
            - 'IMPHASH=680dad9e300346e05a85023965867201'
            - 'IMPHASH=21aa085d54992511b9f115355e468782'
    selection_3:
        OriginalFileName: 'AdFind.exe'
    filter:
        Image|endswith: '\AdFind.exe'
    condition: 1 of selection* and not filter
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_renamed_adfind.yml