S0552 AdFind
AdFind is a free command-line query tool that can be used for gathering information from Active Directory.123
| Item | Value |
|---|---|
| ID | S0552 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 28 December 2020 |
| Last Modified | 29 December 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | AdFind can enumerate domain users.123 |
| enterprise | T1482 | Domain Trust Discovery | AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory.123 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | AdFind can enumerate domain groups.123 |
| enterprise | T1018 | Remote System Discovery | AdFind has the ability to query Active Directory for computers.123 |
| enterprise | T1016 | System Network Configuration Discovery | AdFind can extract subnet information from Active Directory.123 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0037 | FIN6 | 2 |
| G0045 | menuPass | 4 |
| G0102 | Wizard Spider | 3561 |
| G0016 | APT29 | 789 |
| G0046 | FIN7 | 10 |
References
-
Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. ↩↩↩↩↩↩↩
-
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. ↩↩↩↩↩↩↩
-
Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. ↩↩↩↩↩↩↩
-
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. ↩
-
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. ↩
-
The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. ↩
-
MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. ↩
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩
-
ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022. ↩
-
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. ↩