detection.wiki

Detection rules › Sigma

PUA - AdFind.EXE Execution

Severity
medium
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1087.002 Account Discovery: Domain Account

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

or:
Hashes|contains: 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
Hashes|contains: 'IMPHASH=21aa085d54992511b9f115355e468782'
Hashes|contains: 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
Hashes|contains: 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
Hashes|contains: 'IMPHASH=53e117a96057eaf19c41380d0e87f1c2'
Hashes|contains: 'IMPHASH=680dad9e300346e05a85023965867201'
Hashes|contains: 'IMPHASH=bca5675746d13a1f246e2da3c2217492'
Hashes|contains: 'IMPHASH=d144de8117df2beceaba2201ad304764'
Image|endswith: '\AdFind.exe'
OriginalFileName: AdFind.exe

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Hashesmatch
  • IMPHASH=12ce1c0f3f5837ecc18a3782408fa975 corpus 2 (sigma 2)
  • IMPHASH=21aa085d54992511b9f115355e468782 corpus 2 (sigma 2)
  • IMPHASH=49b639b4acbecc49d72a01f357aa4930 corpus 2 (sigma 2)
  • IMPHASH=4fbf3f084fbbb2470b80b2013134df35 corpus 2 (sigma 2)
  • IMPHASH=53e117a96057eaf19c41380d0e87f1c2
  • IMPHASH=680dad9e300346e05a85023965867201 corpus 2 (sigma 2)
  • IMPHASH=bca5675746d13a1f246e2da3c2217492
  • IMPHASH=d144de8117df2beceaba2201ad304764 corpus 2 (sigma 2)
Imageends_with
  • \AdFind.exe corpus 2 (sigma 2)
OriginalFileNameeq
  • AdFind.exe corpus 2 (sigma 2)