From d29a28a4a811a6411cb5eb15e17a2c3c118adcd5 Mon Sep 17 00:00:00 2001
From: omkar72 <omkargudhate72@gmail.com>
Date: Mon, 12 Oct 2020 12:40:50 +0530
Subject: [PATCH 1/5] updated adfind command line

---
 rules/windows/process_creation/win_susp_adfind.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml
index a7269532b..7a8a89e04 100644
--- a/rules/windows/process_creation/win_susp_adfind.yml
+++ b/rules/windows/process_creation/win_susp_adfind.yml
@@ -5,8 +5,10 @@ description: Detects the execution of a AdFind for Active Directory enumeration
 references:
     - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
     - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
-author: FPT.EagleEye Team
+    - https://thedfirreport.com/2020/05/08/adfind-recon/
+author: FPT.EagleEye Team, omkar72, oscd.community
 date: 2020/09/26
+modified: 2020/10/11
 tags:
     - attack.discovery
     - attack.t1016
@@ -19,7 +21,9 @@ logsource:
     service: process_creation
 detection:
     selection:
-        ProcessCommandline|contains: 'objectcategory'
+        ProcessCommandline|contains: 
+            - 'objectcategory'
+            - 'sc'
         Image: 
             - '*\adfind.exe'
     condition: selection

From cf5ad9197cde77bf1b3b374244fba816d34ad640 Mon Sep 17 00:00:00 2001
From: omkar72 <omkargudhate72@gmail.com>
Date: Mon, 12 Oct 2020 12:42:05 +0530
Subject: [PATCH 2/5] updated adfind command line

---
 rules/windows/process_creation/win_susp_adfind.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml
index 7a8a89e04..343e421da 100644
--- a/rules/windows/process_creation/win_susp_adfind.yml
+++ b/rules/windows/process_creation/win_susp_adfind.yml
@@ -23,7 +23,7 @@ detection:
     selection:
         ProcessCommandline|contains: 
             - 'objectcategory'
-            - 'sc'
+            - '-sc'
         Image: 
             - '*\adfind.exe'
     condition: selection

From 99d87d60ecfb60505107832f3b0c5d68acf0700b Mon Sep 17 00:00:00 2001
From: omkar72 <omkargudhate72@gmail.com>
Date: Mon, 12 Oct 2020 12:52:54 +0530
Subject: [PATCH 3/5] updated adfind command line

---
 rules/windows/process_creation/win_susp_adfind.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml
index 343e421da..c15f81ea6 100644
--- a/rules/windows/process_creation/win_susp_adfind.yml
+++ b/rules/windows/process_creation/win_susp_adfind.yml
@@ -24,6 +24,12 @@ detection:
         ProcessCommandline|contains: 
             - 'objectcategory'
             - '-sc'
+            - 'trustdmp'
+            - 'domainlist'
+            - 'dcmodes'
+            - 'adinfo'
+            - 'dclist'
+            - 'computers_pwdnotreqd'
         Image: 
             - '*\adfind.exe'
     condition: selection

From b8dc8d3f7eb802ab43efbb1411ad45d78131343e Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 12 Oct 2020 10:46:34 +0200
Subject: [PATCH 4/5] reduced to avoid FPs

---
 rules/windows/process_creation/win_susp_adfind.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml
index c15f81ea6..1d0301f1f 100644
--- a/rules/windows/process_creation/win_susp_adfind.yml
+++ b/rules/windows/process_creation/win_susp_adfind.yml
@@ -23,11 +23,8 @@ detection:
     selection:
         ProcessCommandline|contains: 
             - 'objectcategory'
-            - '-sc'
             - 'trustdmp'
-            - 'domainlist'
             - 'dcmodes'
-            - 'adinfo'
             - 'dclist'
             - 'computers_pwdnotreqd'
         Image: 

From e2911a025e6ed6f4573c890f5f91144f1f4e5689 Mon Sep 17 00:00:00 2001
From: omkargudhate22 <36105402+omkar72@users.noreply.github.com>
Date: Mon, 12 Oct 2020 17:00:57 +0530
Subject: [PATCH 5/5] added tags and corrected image condition format

---
 rules/windows/process_creation/win_susp_adfind.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml
index 1d0301f1f..07b234894 100644
--- a/rules/windows/process_creation/win_susp_adfind.yml
+++ b/rules/windows/process_creation/win_susp_adfind.yml
@@ -11,11 +11,10 @@ date: 2020/09/26
 modified: 2020/10/11
 tags:
     - attack.discovery
-    - attack.t1016
     - attack.t1018
+    - attack.t1087.002
     - attack.t1482
-    #- attack.t1069.002
-    #- attack.t1087.002
+    - attack.t1069.002
 logsource:
     product: windows
     service: process_creation
@@ -27,8 +26,7 @@ detection:
             - 'dcmodes'
             - 'dclist'
             - 'computers_pwdnotreqd'
-        Image: 
-            - '*\adfind.exe'
+        Image|endswith: '\adfind.exe'
     condition: selection
 falsepositives:
     - Administrative activity