PUA - AdFind Suspicious Execution
Detects AdFind execution with common flags seen used during attacks
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
CommandLine|contains:
- 'domainlist'
- 'trustdmp'
- 'dcmodes'
- 'adinfo'
- '-sc dclist'
- 'computer_pwdnotreqd'
- 'objectcategory='
- '-subnets -f'
- 'name="Domain Admins"'
- '-sc u:'
- 'domainncs'
- 'dompol'
- ' oudmp '
- 'subnetdmp'
- 'gpodmp'
- 'fspdmp'
- 'users_noexpire'
- 'computers_active'
- 'computers_pwdnotreqd'
condition: selectionLegitimate admin activity
Simulations
Adfind - Enumerate Active Directory Computer Objects
GUID: a889f5be-2d54-4050-bd05-884578748bb4
Adfind - Enumerate Active Directory Domain Controller Objects
GUID: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
Tactics
Sub-techniques
Other
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
Detects active directory enumeration activity using known AdFind CLI flags
Detects similar activity. Both rules may fire on overlapping events.
75df3b17-8bcc-4565-b89b-c9898acef911