detection.wiki

Detection rules › Sigma

PUA - AdFind Suspicious Execution

Severity
high
Author
Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
Source
upstream

Detects AdFind execution with common flags seen used during attacks

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1018 Remote System Discovery, T1069.002 Permission Groups Discovery: Domain Groups, T1087.002 Account Discovery: Domain Account, T1482 Domain Trust Discovery

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: ' oudmp '
CommandLine|contains: '-sc dclist'
CommandLine|contains: '-sc u:'
CommandLine|contains: '-subnets -f'
CommandLine|contains: adinfo
CommandLine|contains: computer_pwdnotreqd
CommandLine|contains: computers_active
CommandLine|contains: computers_pwdnotreqd
CommandLine|contains: dcmodes
CommandLine|contains: domainlist
CommandLine|contains: domainncs
CommandLine|contains: dompol
CommandLine|contains: fspdmp
CommandLine|contains: gpodmp
CommandLine|contains: 'name="Domain Admins"'
CommandLine|contains: 'objectcategory='
CommandLine|contains: subnetdmp
CommandLine|contains: trustdmp
CommandLine|contains: users_noexpire

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • oudmp corpus 2 (sigma 2)
  • -sc dclist
  • -sc u: corpus 2 (sigma 2)
  • -subnets -f corpus 2 (sigma 2)
  • adinfo corpus 2 (sigma 2)
  • computer_pwdnotreqd corpus 2 (sigma 2)
  • computers_active corpus 2 (sigma 2)
  • computers_pwdnotreqd corpus 2 (sigma 2)
  • dcmodes corpus 2 (sigma 2)
  • domainlist corpus 2 (sigma 2)
  • domainncs corpus 2 (sigma 2)
  • dompol corpus 2 (sigma 2)
  • fspdmp corpus 2 (sigma 2)
  • gpodmp corpus 2 (sigma 2)
  • name="Domain Admins" corpus 2 (sigma 2)
  • objectcategory= corpus 2 (sigma 2)
  • subnetdmp corpus 2 (sigma 2)
  • trustdmp corpus 2 (sigma 2)
  • users_noexpire corpus 2 (sigma 2)