cscli scenarios install sigmahq/proc_creation_win_pua_adfind_susp_usage1type: trigger2name: sigmahq/proc_creation_win_pua_adfind_susp_usage3description: |4 Detects AdFind execution with common flags seen used during attacks5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.CommandLine contains 'domainlist' || evt.Parsed.CommandLine contains 'trustdmp' || evt.Parsed.CommandLine contains 'dcmodes' || evt.Parsed.CommandLine contains 'adinfo' || evt.Parsed.CommandLine contains ' dclist ' || evt.Parsed.CommandLine contains 'computer_pwdnotreqd' || evt.Parsed.CommandLine contains 'objectcategory=' || evt.Parsed.CommandLine contains '-subnets -f' || evt.Parsed.CommandLine contains 'name="Domain Admins"' || evt.Parsed.CommandLine contains '-sc u:' || evt.Parsed.CommandLine contains 'domainncs' || evt.Parsed.CommandLine contains 'dompol' || evt.Parsed.CommandLine contains ' oudmp ' || evt.Parsed.CommandLine contains 'subnetdmp' || evt.Parsed.CommandLine contains 'gpodmp' || evt.Parsed.CommandLine contains 'fspdmp' || evt.Parsed.CommandLine contains 'users_noexpire' || evt.Parsed.CommandLine contains 'computers_active' || evt.Parsed.CommandLine contains 'computers_pwdnotreqd')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t101815 - attack.t1087.00216 - attack.t148217 - attack.t1069.0021819 label: "PUA - AdFind Suspicious Execution"20 behavior : "windows:audit"21 remediation: false2223scope:24 type: ParentProcessId25 expression: evt.Parsed.ParentProcessId2627