← Back to SOC feed Coverage →

PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE

sigma HIGH SigmaHQ
T1087.002
imProcessCreate
backdoor
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-13T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects active directory enumeration activity using known AdFind CLI flags

Detection Rule

Sigma (Original)

title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
related:
    - id: 9a132afa-654e-11eb-ae93-0242ac130002
      type: similar
    - id: 514e7e3e-b3b4-4a67-af60-be20f139198b
      type: similar
status: test
description: Detects active directory enumeration activity using known AdFind CLI flags
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
author: frack113
date: 2021-12-13
modified: 2023-03-05
tags:
    - attack.discovery
    - attack.t1087.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_password: # Listing password policy
        CommandLine|contains:
            - lockoutduration
            - lockoutthreshold
            - lockoutobservationwindow
            - maxpwdage
            - minpwdage
            - minpwdlength
            - pwdhistorylength
            - pwdproperties
    selection_enum_ad: # Enumerate Active Directory Admins
        CommandLine|contains: '-sc admincountdmp'
    selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects
        CommandLine|contains: '-sc exchaddresses'
    condition: 1 of selection_*
falsepositives:
    - Authorized administrative activity
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "lockoutduration" or TargetProcessCommandLine contains "lockoutthreshold" or TargetProcessCommandLine contains "lockoutobservationwindow" or TargetProcessCommandLine contains "maxpwdage" or TargetProcessCommandLine contains "minpwdage" or TargetProcessCommandLine contains "minpwdlength" or TargetProcessCommandLine contains "pwdhistorylength" or TargetProcessCommandLine contains "pwdproperties") or TargetProcessCommandLine contains "-sc admincountdmp" or TargetProcessCommandLine contains "-sc exchaddresses"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml