MalwareRansomwareUsed by 10 actors

ADFind

AdFind is a legitimate command-line Active Directory query utility from joeware.net that is frequently abused as a dual-use reconnaissance tool during post-compromise activity. The content consistently describes it being used to query and extract data from Active Directory, including enumerating computers, domain users, domain groups, organizational units, domain trusts, remote systems, and system network configuration. It is mapped to ATT&CK-style discovery behaviors including Domain Account Discovery, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, and System Network Configuration Discovery.

The tool appears repeatedly in intrusion reporting as renamed or obfuscated variants to evade detection. In SolarWinds-related intrusions investigated by Volexity, a file named sqlceip.exe was identified as AdFind masquerading as the Microsoft SQL Server Telemetry Client. Microsoft also noted renamed AdFind used by the SolarWinds actor for Active Directory reconnaissance against domain controllers. SentinelLABS reported Black Basta using a uniquely obfuscated AdFind variant named AF.exe for Active Directory discovery.

Threat actors and operations explicitly associated in the content with AdFind use include APT29/NOBELIUM during the SolarWinds compromise, Dark Halo/UNC2452-related activity, UNC2447, Black Basta, Akira affiliates, Mustang Panda, Lotus Blossom, Play, Wizard Spider, and Andariel, as well as broader ransomware and intrusion activity where attackers used AdFind alongside tools such as BloodHound, Mimikatz, Cobalt Strike, ProcDump, PsExec, and WinPEAS. Reported use cases center on reconnaissance and environment mapping prior to credential theft, privilege escalation, lateral movement, email theft, exfiltration, or ransomware deployment.

Targeting reflected in the content is primarily Windows enterprise environments with Active Directory, including incidents affecting a US-based think tank in the SolarWinds campaign and health-sector organizations in reporting on Akira activity. No malware-style persistence or self-propagation behavior is attributed to AdFind itself in the provided content; it is described as a legitimate utility abused by attackers. A notable indicator from the content is the use of renamed binaries such as sqlceip.exe and AF.exe to disguise AdFind execution.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT29

The attacker also made use of a file called sqlceip.exe, which upon first glance might appear as the legitimate version of SQL Server Telemetry Client provided by Microsoft. However, Volexity determined this tool was actually a version of AdFind from joeware.net. AdFind is a command-line tool used for querying and extracting data from Active Directory.

via volexity blogweb.archive.org

Dark Halo

via volexity blogweb.archive.org

Mustang Panda

AdFind has the ability to query Active Directory for computers.

via mitre attack websiteattack.mitre.org

Andariel

...open-source and dual-use tools as used and/or customized by the actors: ... AdFind ...

via cisa alertscisa.gov

APT41

AdFind can enumerate domain users.

via mitre attackattack.mitre.org

Lotus Blossom

AdFind can enumerate domain users.

via mitre attackattack.mitre.org

BlackByte

AdFind can enumerate domain users.

via mitre attackattack.mitre.org

unc215

This includes running native Windows commands on compromised servers, executing ADFind on the Active Directory...

via fireeyefireeye.com

Play

By abusing legitimate tools such as Cobalt Strike, Mimikatz, ProcDump, AdFind, and WinPEAS, the group conducts credential theft, privilege escalation, lateral movement, and data exfiltration.

via dark readingdarkreading.com

UNC2447

...UNC2447 has been observed using the following tools: ADFIND, BLOODHOUND, MIMIKATZ...

via mandiant threat intelligencecloud.google.com

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1588.002ToolEvidence1

TacticResource Development

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Stealth

1 technique

T1070.004File DeletionEvidence1

TacticStealth

Files pertaining to the threat actor’s post exploitation activities such as reconnaissance of the internal network, were deleted to hinder forensic analysis efforts.

Discovery

10 techniques

T1016System Network Configuration DiscoveryEvidence12

TacticDiscovery

The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.

T1018Remote System DiscoveryEvidence8

TacticDiscovery

Several actors used discovery tools such as BloodHound, AdFind, Advanced IP Scanner, SoftPerfect Network Scanner, NBTscan, RustScan, and SNScan for user, system, and network discovery.

T1033System Owner/User DiscoveryEvidence2

TacticDiscovery

Below is a basic example of how to use adfind.exe to pull user data... After obtaining a full list of users on the domain check for common weak passwords.

T1069Permission Groups DiscoveryEvidence1

TacticDiscovery

Commands such as net user /domain and net group /domain ... can list domain users and groups.

T1069.002Domain GroupsEvidence2

TacticDiscovery

adfind.exe -f "(objectcategory=group)" > ad_group.txt

T1082System Information DiscoveryEvidence1

TacticDiscovery

GeminiDuke focuses primarily on gathering details about the victim’s computer’s configuration.

T1087Account DiscoveryEvidence4

TacticDiscovery

ATT&CK Mapping The full TTP set observed in this intrusion mapped to the following ATT&CK techniques: Discovery T1087, T1482 Account / Domain Trust Discovery EID 4688 (nltest.exe, net.exe)

T1087.002Domain AccountEvidence4

TacticDiscovery

T1087.002 - Domain Account Description from ATT&CK. Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

T1482Domain Trust DiscoveryEvidence13

TacticDiscovery

Domain Trust Discovery [T1482]: Can involve the use of custom scripts or tools like AdFind to gather information on domain trust relationships and identify ways for a threat actor to move lateral movement

T1518Software DiscoveryEvidence1

TacticDiscovery

edr-win-disc-adfind-enum

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app2 years ago

hash.sha1●●●●●●●●●●●●View more in app2 years ago

ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app

industrialcyberNews

Feb 3, 2026

Health-ISAC reports 55% surge in cyber incidents in 2025, as attacks rise and escalation looms in 2026 - Industrial Cyber

Active Directory reconnaissance tool used to enumerate and query AD objects; leveraged post-compromise to map environments and identify targets for lateral movement.

dark readingNews

May 7, 2025

Play Ransomware Group Used Windows Zero-Day

Active Directory enumeration tool abused by Play/Balloonfly for discovery in victim environments prior to ransomware deployment.

sentinelone labsNews

Apr 11, 2025

Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor | SentinelOne

Active Directory query utility used for reconnaissance/AD enumeration; in these intrusions it is used in an obfuscated form to inventory domain computers and related attributes.

arctic wolf blogNews

Oct 24, 2024

Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN - Arctic Wolf

Active Directory discovery tool used to enumerate directory objects/trusts to support targeting and lateral movement.

+18 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution10

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.