Suspicious Enumeration using Adfind Tool

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Query detects Adfind tool use for domain reconnaissance, regardless of executable name, focusing on DC and ADFS servers, to spot potential adversary activity.

Attribute	Value
Type	Hunting Query
Solution	Windows Security Events
ID	dd6fb889-43ef-44e1-a01d-093ab4bb12b2
Tactics	Execution, Discovery, Collection
Techniques	T1059, T1087, T1482, T1201, T1069, T1074
Required Connectors	SecurityEvents, WindowsSecurityEvents
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
SecurityEvent	EventID == "4688"	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries · Back to Windows Security Events