Detection rules › Kusto Query Language
Probable AdFind Recon Tool Usage (Normalized Process Events)
'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery. To use this analytics rule, make sure you have deployed the ASIM normalization parsers'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1018 Remote System Discovery |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Sysmon | 5 | Process terminated |
| Security-Auditing | 4688 | A new process has been created. |
| Security-Auditing | 4689 | A process has exited. |
Stages and Predicates
Stage 1: source
imProcessCreate
Stage 2: where
ActingProcessName match "parentProcesses"
Stage 3: extend
Stage 4: where
ActingProcessFileName eq "parentProcesses"
Stage 5: where
or
CommandLine match "args"
Process ends_with "AdFind.exe"
TargetProcessSHA256 eq "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
Stage 6: extend
Stage 7: extend
Stage 8: extend
Stage 9: extend
Stage 10: project-away
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActingProcessFileName | in |
|
ActingProcessName | match |
|
CommandLine | match |
|
Process | ends_with |
|
TargetProcessSHA256 | eq |
|