Techniques
Sample rules
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
- source: sigma
- technicques:
- t1087
- t1087.002
Description
Detects active directory enumeration activity using known AdFind CLI flags
Detection logic
condition: 1 of selection_*
selection_enum_ad:
CommandLine|contains: -sc admincountdmp
selection_enum_exchange:
CommandLine|contains: -sc exchaddresses
selection_password:
CommandLine|contains:
- lockoutduration
- lockoutthreshold
- lockoutobservationwindow
- maxpwdage
- minpwdage
- minpwdlength
- pwdhistorylength
- pwdproperties