AdFind
Malware⚠️ Overview
AdFind is a legitimate command-line Active Directory query tool originally developed by Joe Richards for network administration, but it has been widely abused by threat actors as a living-off-the-land (LotL) binary for reconnaissance. First documented in malicious campaigns around 2018 during Ryuk ransomware intrusions, AdFind is not a self-propagating malware family but a tool used post-compromise by multiple groups including FIN6, Conti, and Bumblebee operators (MITRE ATT&CK T1482, T1087.002, T1069.002). It falls under the reconnaissance category, aiding in domain enumeration and privilege escalation.
🔧 Technical Capabilities
AdFind executes LDAP queries against Active Directory to extract detailed information about users, groups, computers, domain trusts, Group Policies, and service accounts. Attackers deploy it via command-line execution after gaining initial access—often through phishing or RDP brute force—and may copy the binary to a victim’s system using tools like Cobalt Strike or PsExec. It does not have its own command-and-control infrastructure; instead, it relies on existing backdoors (e.g., SOCKS proxies, SSH tunnels) to relay output. Persistence is not inherent; AdFind is a single-use tool typically run from memory or temp directories. Evasion techniques include leveraging the tool’s legitimate digital signature to bypass application whitelisting and using obfuscated command lines (e.g., with double-dash parameters) to avoid detection by security monitoring tools. No encryption or stealth mechanisms are built in; the tool’s effectiveness comes from its trustworthiness in enterprise environments.
📜 History & Notable Incidents
AdFind’s first widely reported malicious use occurred in 2018 in Ryuk ransomware campaigns, where it was used to enumerate Active Directory objects prior to lateral movement (CISA Alert AA20-302A). Subsequent high-profile campaigns include Conti ransomware attacks (2021–2022), where actors used AdFind to map domain trusts and locate high-value targets, and FIN6’s exploitation of the tool for credential harvesting. No CVEs are associated with AdFind because it is not a vulnerable application; rather, it is a trusted utility that adversaries weaponize. Law enforcement actions have not targeted the tool itself, but arrests related to Ryuk and Conti operations indirectly reference its usage.
🔍 Detection Indicators
Behavioral signatures include unexpected execution of adfind.exe from non-standard paths (e.g., %TEMP%, %APPDATA%, or user-writable folders) or with command-line arguments such as -b (base DN), -f (filter), or -gcb (group membership). Network indicators consist of anomalous LDAP queries to domain controllers with high-volume objectClass=* or memberOf searches. Known file hashes vary by version; a commonly seen hash for AdFind v1.62 is a1b2c3d4e5f6... (example – exact hash differs per build). No specific registry keys or mutex names are associated; User-Agent strings are not applicable as the tool uses native LDAP protocols.
☠️ Risk & Impact
AdFind enables attackers to rapidly map an entire Active Directory environment, identifying privileged accounts, domain admins, and trust relationships—critical steps for lateral movement and privilege escalation leading to ransomware deployment or data exfiltration. The tool has been linked to major incidents in healthcare, government, financial services, and critical infrastructure sectors, contributing to multi-million-dollar ransomware payouts and significant operational downtime (e.g., the 2021 HSE Ireland attack). Financial losses from associated ransomware campaigns exceed hundreds of millions globally.
🛡️ Mitigation
Defenders should block execution of adfind.exe from unauthorized locations using application whitelisting (AppLocker, Windows Defender Application Control) and enable logging of process creation (Event ID 4688) and LDAP queries (Event ID 4662) to detect anomalous activity. Additionally, restrict network access to domain controllers from non-admin workstations and implement behavioral detection rules in SIEMs for unusual query patterns, referencing MITRE ATT&CK D3FEND techniques.
Similar Threats
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
