Deployable detection rules
1 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
1 shown of 1Probable AdFind Recon Tool Usage (Normalized Process Events)
'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
Show query
let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]); let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]); imProcessCreate //looks for execution from a shell | where ActingProcessName has_any (parentProcesses) | extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1]) | where ActingProcessFileName in~ (parentProcesses) // main filter | where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3" // AdFind common Flags to check for from various threat actor TTPs or CommandLine has_any (args) | extend AlgorithmType = "SHA256" | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0]) | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) | project-away DomainIndex
Showing 1-1 of 1