Skip to content

S0552 AdFind

AdFind is a free command-line query tool that can be used for gathering information from Active Directory.123

Item Value
ID S0552
Associated Names
Version 1.0
Created 28 December 2020
Last Modified 29 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account AdFind can enumerate domain users.123
enterprise T1482 Domain Trust Discovery AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory.123
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups AdFind can enumerate domain groups.123
enterprise T1018 Remote System Discovery AdFind has the ability to query Active Directory for computers.123
enterprise T1016 System Network Configuration Discovery AdFind can extract subnet information from Active Directory.123

Groups That Use This Software

ID Name References
G0037 FIN6 2
G0045 menuPass 4
G0102 Wizard Spider 3561
G0016 APT29 789
G0046 FIN7 10


  1. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. 

  2. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  3. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. 

  4. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  5. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  6. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  7. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  8. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  9. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022. 

  10. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

Back to top