1. Home
  2. Software
  3. AdFind

AdFind

AdFind is a free command-line query tool that can be used for gathering information from Active Directory.[1][2][3]

ID: S0552
Type: TOOL
Platforms: Windows
Version: 1.2
Created: 28 December 2020
Last Modified: 02 March 2023
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

AdFind can enumerate domain users.[1][2][3][4][5]
Enterprise T1482 Domain Trust Discovery

AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory.[1][2][3][5]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

AdFind can enumerate domain groups.[1][2][3][5]
Enterprise T1018 Remote System Discovery

AdFind has the ability to query Active Directory for computers.[1][2][3][4]
Enterprise T1016 System Network Configuration Discovery

AdFind can extract subnet information from Active Directory.[1][2][3]

Groups That Use This Software

ID Name References
G0037 FIN6

[2]
G0046 FIN7

[6]
G0016 APT29

[7][8][9][10][11][12]
G0102 Wizard Spider

[3][13][14][1]
G0092 TA505

[15]
G0045 menuPass

[16]

Campaigns

ID Name Description
C0015 C0015

[17]
C0024 SolarWinds Compromise

[7][8]

References

  1. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  2. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  3. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  4. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  5. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  6. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  7. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  8. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  9. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
  1. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  2. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  3. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.
  4. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  5. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  6. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  7. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  8. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.