Merge pull request #2192 from TestLeper/patch-1

Create AdFind_Usage.yaml

Detections/DeviceProcessEvents/AdFind_Usage.yaml

@@ -0,0 +1,49 @@
+id: c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd
+name: Probable AdFind Recon Tool Usage
+description: |
+  'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.'
+severity: High
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceProcessEvents
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Discovery
+relevantTechniques:
+  - T1018
+query: |
+
+ let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
+ let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
+ DeviceProcessEvents
+ //looks for execution from a shell
+ | where InitiatingProcessFileName in (parentProcesses)
+ // main filter
+ | where FileName =~ "AdFind.exe" or SHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
+    // AdFind common Flags to check for from various threat actor TTPs
+     or ProcessCommandLine has_any (args)
+ | extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: HostCustomEntity
+  - entityType: Process
+    fieldMappings:
+      - identifier: ProcessId
+        columnName: ProcessCustomEntity
+  - entityType: FileHash
+    fieldMappings:
+      - identifier: Algorithm
+        columnName: SHA256
+      - identifier: Value
+        columnName: FileHashCustomEntity