created a new rule

Author: swachchhanda000

rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml

@@ -3,35 +3,25 @@ id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
 related:
     - id: 9a132afa-654e-11eb-ae93-0242ac130002
       type: similar
+    - id: 514e7e3e-b3b4-4a67-af60-be20f139198b
+      type: similar
 status: test
 description: Detects active directory enumeration activity using known AdFind CLI flags
 references:
     - https://www.joeware.net/freetools/tools/adfind/
     - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
-author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
+author: frack113
 date: 2021-12-13
-modified: 2025-02-23
+modified: 2023-03-05
 tags:
     - attack.discovery
     - attack.t1087.002
 logsource:
     product: windows
     category: process_creation
 detection:
-    selection_img:
-        - Image|endswith: '\AdFind.exe'
-        - OriginalFileName: 'AdFind.exe'
-        - Hashes|contains:
-              - 'IMPHASH=d144de8117df2beceaba2201ad304764'
-              - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
-              - 'IMPHASH=bca5675746d13a1f246e2da3c2217492'
-              - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
-              - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
-              - 'IMPHASH=53e117a96057eaf19c41380d0e87f1c2'
-              - 'IMPHASH=680dad9e300346e05a85023965867201'
-              - 'IMPHASH=21aa085d54992511b9f115355e468782'
-    selection_cmd_password: # Listing password policy
+    selection_password: # Listing password policy
         CommandLine|contains:
             - lockoutduration
             - lockoutthreshold
@@ -41,11 +31,11 @@ detection:
             - minpwdlength
             - pwdhistorylength
             - pwdproperties
-    selection_cmd__enum_ad: # Enumerate Active Directory Admins
+    selection_enum_ad: # Enumerate Active Directory Admins
         CommandLine|contains: '-sc admincountdmp'
-    selection_cmd_enum_exchange: # Enumerate Active Directory Exchange AD Objects
+    selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects
         CommandLine|contains: '-sc exchaddresses'
     condition: 1 of selection_*
 falsepositives:
     - Authorized administrative activity
-level: high
+level: high

rules/windows/process_creation/proc_creation_win_pua_adfind_execution.yml

@@ -0,0 +1,35 @@
+title: PUA - AdFind.EXE Execution
+id: 514e7e3e-b3b4-4a67-af60-be20f139198b
+related:
+    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
+      type: similar
+status: experimental
+description: Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active directory environment
+references:
+    - https://www.joeware.net/freetools/tools/adfind/
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-02-26
+tags:
+    - attack.discovery
+    - attack.t1087.002
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        - Image|endswith: '\AdFind.exe'
+        - OriginalFileName: 'AdFind.exe'
+        - Hashes|contains:
+              - 'IMPHASH=d144de8117df2beceaba2201ad304764'
+              - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
+              - 'IMPHASH=bca5675746d13a1f246e2da3c2217492'
+              - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
+              - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
+              - 'IMPHASH=53e117a96057eaf19c41380d0e87f1c2'
+              - 'IMPHASH=680dad9e300346e05a85023965867201'
+              - 'IMPHASH=21aa085d54992511b9f115355e468782'
+    condition: selection
+falsepositives:
+    - Usage of Adfind for legitimate administrative activity
+level: medium

rules/windows/process_creation/proc_creation_win_renamed_adfind.yml

@@ -11,7 +11,7 @@ references:
     - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
 author: Florian Roth (Nextron Systems)
 date: 2022-08-21
-modified: 2024-11-23
+modified: 2025-02-26
 tags:
     - attack.discovery
     - attack.t1018
@@ -47,6 +47,12 @@ detection:
         Hashes|contains:
             - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
             - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
+            - 'IMPHASH=d144de8117df2beceaba2201ad304764'
+            - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
+            - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
+            - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
+            - 'IMPHASH=680dad9e300346e05a85023965867201'
+            - 'IMPHASH=21aa085d54992511b9f115355e468782'
     selection_3:
         OriginalFileName: 'AdFind.exe'
     filter: