Detection rules › Kusto Query Language

Probable AdFind Recon Tool Usage

Source: upstream

'This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.'

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1016` System Network Configuration Discovery, `T1018` Remote System Discovery, `T1069.002` Permission Groups Discovery: Domain Groups, `T1087.002` Account Discovery: Domain Account, `T1482` Domain Trust Discovery

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.
Defender-DeviceProcessEvents	9001000	Process activity (any)

Stages and Predicates

Stage 1: `source`

DeviceProcessEvents

Stage 2: `where`

InitiatingProcessFileName eq "parentProcesses"

Stage 3: `where`

or
  FileName eq "AdFind.exe"
  ProcessCommandLine match "args"
  SHA256 eq "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"

Stage 4: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`FileName`	eq	`AdFind.exe`
`InitiatingProcessFileName`	in	`parentProcesses`
`ProcessCommandLine`	match	`args`
`SHA256`	eq	`c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3`

Probable AdFind Recon Tool Usage

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: extend

Indicators

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `extend`