Detectionhightest

Renamed AdFind Execution

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sun Aug 21Updated Wed Feb 26df55196f-f105-44d3-a675-e9dfb6cc2f2bwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_1:
        CommandLine|contains:
            - 'domainlist'
            - 'trustdmp'
            - 'dcmodes'
            - 'adinfo'
            - ' dclist '
            - 'computer_pwdnotreqd'
            - 'objectcategory='
            - '-subnets -f'
            - 'name="Domain Admins"'
            - '-sc u:'
            - 'domainncs'
            - 'dompol'
            - ' oudmp '
            - 'subnetdmp'
            - 'gpodmp'
            - 'fspdmp'
            - 'users_noexpire'
            - 'computers_active'
            - 'computers_pwdnotreqd'
    selection_2:
        Hashes|contains:
            - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
            - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
            - 'IMPHASH=d144de8117df2beceaba2201ad304764'
            - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
            - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
            - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
            - 'IMPHASH=680dad9e300346e05a85023965867201'
            - 'IMPHASH=21aa085d54992511b9f115355e468782'
    selection_3:
        OriginalFileName: 'AdFind.exe'
    filter:
        Image|endswith: '\AdFind.exe'
    condition: 1 of selection* and not filter