SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
AdFind
AdFind is a free command-line query tool that can be used for gathering information from Active Directory.[1][2][3]
ID: S0552
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 28 December 2020
Last Modified: 29 December 2020
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account | |
Enterprise | T1482 | Domain Trust Discovery |
AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory.[1][2][3] |
|
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups | |
Enterprise | T1018 | Remote System Discovery |
AdFind has the ability to query Active Directory for computers.[1][2][3] |
|
Enterprise | T1016 | System Network Configuration Discovery |
AdFind can extract subnet information from Active Directory.[1][2][3] |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0037 | FIN6 | |
G0102 | Wizard Spider | |
G0045 | menuPass | |
G0118 | UNC2452 |
References
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
- Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
×