Skip to content

S0552 AdFind

AdFind is a free command-line query tool that can be used for gathering information from Active Directory.132

Item Value
ID S0552
Associated Names
Type TOOL
Version 1.5
Created 28 December 2020
Last Modified 25 September 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account AdFind can enumerate domain users.13254
enterprise T1482 Domain Trust Discovery AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory.1324
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups AdFind can enumerate domain groups.1324
enterprise T1018 Remote System Discovery AdFind has the ability to query Active Directory for computers.1325
enterprise T1016 System Network Configuration Discovery AdFind can extract subnet information from Active Directory.132

Groups That Use This Software

ID Name References
G0092 TA505 9
G0030 Lotus Blossom Lotus Blossom has used AdFind to query Active Directory in victim environments.10
G0102 Wizard Spider 21312111
G0046 FIN7 14
G1040 Play 1516
G1043 BlackByte BlackByte used AdFind during operations.1817
G0037 FIN6 3
G1024 Akira 19
G0129 Mustang Panda Mustang Panda has utilized AdFind for enumerating domain groups, users, and computers.20
G1032 INC Ransom 21
G0016 APT29 8722252624
G0045 menuPass 23

References

  1. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. 

  2. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. 

  3. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  4. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. 

  5. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. 

  6. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  7. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  8. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  9. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. 

  10. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025. 

  11. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. 

  12. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  13. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  14. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  15. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. 

  16. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. 

  17. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. 

  18. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024. 

  19. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024. 

  20. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. 

  21. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024. 

  22. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022. 

  23. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  24. Mandiant. (2022, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. 

  25. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. 

  26. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.