ADFind¶
Original Analytic¶
title: Suspicious AdFind Execution
id: 75df3b17-8bcc-4565-b89b-c9898acef911
status: experimental
description: Detects the execution of a AdFind for Active Directory enumeration
references:
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
- https://thedfirreport.com/2020/05/08/adfind-recon/
author: FPT.EagleEye Team, omkar72, oscd.community
date: 2020/09/26
modified: 2021/05/12
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
- attack.t1482
- attack.t1069.002
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'objectcategory'
- 'trustdmp'
- 'dcmodes'
- 'dclist'
- 'computers_pwdnotreqd'
Image|endswith: '\adfind.exe'
condition: selection
falsepositives:
- Administrative activity
level: medium
Analytic Source: SigmaHQ
Original Analytic Scoring¶
Application (A) |
User-Mode (U) |
Kernel-Mode (K) |
|
---|---|---|---|
Core to (Sub-) Technique (5) |
|||
Core to Part of (Sub-) Technique (4) |
|||
Core to Pre-Existing Tool or Inside Boundary (3) |
|||
Core to Adversary-Brought Tool or Outside Boundary (2) |
EventID: 1
CommandLine|contains:
- ‘objectcategory’
- ‘trustdmp’
- ‘dcmodes’
- ‘dclist’
- ‘computers_pwdnotreqd’
|
||
Ephemeral (1) |
Image|endswith: ‘\adfind.exe’ |
Improved Analytic Scoring¶
Application (A) |
User-Mode (U) |
Kernel-Mode (K) |
|
---|---|---|---|
Core to (Sub-) Technique (5) |
|||
Core to Part of (Sub-) Technique (4) |
|||
Core to Pre-Existing Tool or Inside Boundary (3) |
|||
Core to Adversary-Brought Tool or Outside Boundary (2) |
EventID: 1
CommandLine|contains:
- ‘objectcategory’
- ‘trustdmp’
- ‘dcmodes’
- ‘dclist’
- ‘computers_pwdnotreqd’
OriginalFileName|endswith: ‘\adfind.exe’
|
||
Ephemeral (1) |
This analytic looks for specific command-line arguments of the ADFind tool,
identified when Image
ends with adfind.exe
. The logsource for this
analytic is process_creation
, so it could potentially fire for Windows Event
ID 4688 or Sysmon Event ID 1. This analytic references the Image
field,
which does not exist in Event ID 4688 but does exist in Sysmon Event ID 1.
[1] Event ID 4688 has the field NewProcessName, though it could be mapped to
another field name in your SIEM of choice. We proceed with the interpretation
that 4688 events will not be returned, and therefore score this using Event ID
1.
Sysmon Event ID 1 is generated when Win32 API functions are called to create a
new process. [2] However, instead of operating from a userland artifact, it
awaits a kernel callback to notify it via the
PsSetCreateProcessNotifyRoutineEx
function that a new process has been
created. The aforementioned routine is normally triggered by the driver any time
a new process is registered with the kernel, at which point it notifies all
drivers in its callback array of the new process registration. Although it is
possible for the notification routine to be avoided, doing so generally requires
modifying either Sysmon (to suppress the driver callback) or the driver itself
(to avoid notifications of process registration ever being sent out), both of
which are quite impractical. Therefore, it is a kernel-mode log source and we
can place the observables in the Column K: Kernel-Mode.
Image|endswith: '\adfind.exe'
is placed at the Level 1: Ephemeral Values. An
adversary can easily obfuscate or change the Image value by renaming the file.
The command-line arguments are placed at Level 2: Core to Adversary-Brought Tool or Outside Boundary, since
the command-line arguments are specific to the ADFind tool and require modifying
source code to change. Since the CommandLine
and Image
observables in
the analytic are ANDed together, according to our Boolean logic, the entire
analytic scores as a 1K.
The robustness of this analytic can be increased by leveraging the
OriginalFileName
field in Sysmon Event ID 1 instead of Image
. It is
trivial for an adversary to change the Image
name ending with adfind.exe
to avoid detection. It is more challenging for an adversary to change the
OriginalFileName
, since it is derived from the PE header. Changing the PE
header requires either modifying values at the executable’s compile time or
modifying raw bytes with a hex editor, both of which are more complex for an
adversary than renaming a file on a compromised system.
By instead detecting OriginalFileName|endswith: '\adfind.exe'
, this analytic
moves up a level to 2K.
Another approach to improve the robustness of this analytic is to drop the
condition of the Image
or OriginalFileName
completely since the
command-line arguments specified in the first clause are likely unique to the
ADFind tool. Adding that second clause adds a way for an adversary to evade the
analytic without decreasing accuracy.
References