```yaml title: AdFind LDAP Enumeration id: edr-win-disc-adfind-enum status: stable description: > Detects AdFind.exe execution via filename, display name, or file path. AdFind is a command-line LDAP query tool abused by virtually every major IAB and ransomware operator for Active Directory enumeration. Detection covers renamed variants via PE metadata. references: - https://thedfirreport.com/2023/12/18/lets-opendir-some-presents/ - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem/ author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.discovery - attack.t1018 - attack.t1087.002 logsource: category: process_creation product: windows detection: selection: - Image|contains: 'adfind' - Product|contains: 'adfind' - TargetFilename|contains: 'adfind.' condition: selection falsepositives: - Authorized AD auditing by IT administrators level: high ```