Rule : Detection of ADFind Command Usage
Adfind Detection
Query
let commandline = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=*"]);
DeviceProcessEvents
| where ProcessCommandLine has_any (commandline)
| where ProcessCommandLine matches regex "(.*)>(.*)"About this query
Explanation
This query is designed to detect the use of the ADFind command-line tool, which is often used by attackers to gather information from Active Directory for reconnaissance purposes. The query looks for specific keywords in the command line that are commonly associated with ADFind usage, such as "objectcategory", "domainlist", "adinfo", and "trustdmp". It also checks for patterns that indicate the output of these commands might be redirected or piped, which could suggest an attempt to manipulate or exfiltrate the data.
In simple terms, this query helps identify when someone is using ADFind to potentially gather sensitive Active Directory information, which could be an early sign of malicious activity like lateral movement or privilege escalation.
Details

Ali Hussein
Released: August 26, 2024
Tables
Keywords
Operators