PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
Detects active directory enumeration activity using known AdFind CLI flags
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_password: # Listing password policy
CommandLine|contains:
- lockoutduration
- lockoutthreshold
- lockoutobservationwindow
- maxpwdage
- minpwdage
- minpwdlength
- pwdhistorylength
- pwdproperties
selection_enum_ad: # Enumerate Active Directory Admins
CommandLine|contains: '-sc admincountdmp'
selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects
CommandLine|contains: '-sc exchaddresses'
condition: 1 of selection_*Authorized administrative activity
Tactics
Sub-techniques
PUA - AdFind Suspicious Execution
Detects AdFind execution with common flags seen used during attacks
Detects similar activity. Both rules may fire on overlapping events.
PUA - AdFind.EXE Execution
Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
Detects similar activity. Both rules may fire on overlapping events.