Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 10 actors

ADFind

AdFind is a legitimate command-line Active Directory query utility from joeware.net that is frequently abused as a dual-use reconnaissance tool during post-compromise activity. The content consistently describes it being used to query and extract data from Active Directory, including enumerating computers, domain users, domain groups, organizational units, domain trusts, remote systems, and system network configuration. It is mapped to ATT&CK-style discovery behaviors including Domain Account Discovery, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, and System Network Configuration Discovery.

The tool appears repeatedly in intrusion reporting as renamed or obfuscated variants to evade detection. In SolarWinds-related intrusions investigated by Volexity, a file named sqlceip.exe was identified as AdFind masquerading as the Microsoft SQL Server Telemetry Client. Microsoft also noted renamed AdFind used by the SolarWinds actor for Active Directory reconnaissance against domain controllers. SentinelLABS reported Black Basta using a uniquely obfuscated AdFind variant named AF.exe for Active Directory discovery.

Threat actors and operations explicitly associated in the content with AdFind use include APT29/NOBELIUM during the SolarWinds compromise, Dark Halo/UNC2452-related activity, UNC2447, Black Basta, Akira affiliates, Mustang Panda, Lotus Blossom, Play, Wizard Spider, and Andariel, as well as broader ransomware and intrusion activity where attackers used AdFind alongside tools such as BloodHound, Mimikatz, Cobalt Strike, ProcDump, PsExec, and WinPEAS. Reported use cases center on reconnaissance and environment mapping prior to credential theft, privilege escalation, lateral movement, email theft, exfiltration, or ransomware deployment.

Targeting reflected in the content is primarily Windows enterprise environments with Active Directory, including incidents affecting a US-based think tank in the SolarWinds campaign and health-sector organizations in reporting on Akira activity. No malware-style persistence or self-propagation behavior is attributed to AdFind itself in the provided content; it is described as a legitimate utility abused by attackers. A notable indicator from the content is the use of renamed binaries such as sqlceip.exe and AF.exe to disguise AdFind execution.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT29

The attacker also made use of a file called sqlceip.exe, which upon first glance might appear as the legitimate version of SQL Server Telemetry Client provided by Microsoft. However, Volexity determined this tool was actually a version of AdFind from joeware.net. AdFind is a command-line tool used for querying and extracting data from Active Directory.

via volexity blogweb.archive.org
Dark Halo

The attacker also made use of a file called sqlceip.exe, which upon first glance might appear as the legitimate version of SQL Server Telemetry Client provided by Microsoft. However, Volexity determined this tool was actually a version of AdFind from joeware.net. AdFind is a command-line tool used for querying and extracting data from Active Directory.

via volexity blogweb.archive.org
Mustang Panda

AdFind has the ability to query Active Directory for computers.

via mitre attack websiteattack.mitre.org
Andariel

...open-source and dual-use tools as used and/or customized by the actors: ... AdFind ...

via cisa alertscisa.gov
APT41

AdFind can enumerate domain users.

via mitre attackattack.mitre.org
Lotus Blossom

AdFind can enumerate domain users.

via mitre attackattack.mitre.org
BlackByte

AdFind can enumerate domain users.

via mitre attackattack.mitre.org
unc215

This includes running native Windows commands on compromised servers, executing ADFind on the Active Directory...

via fireeyefireeye.com
Play

By abusing legitimate tools such as Cobalt Strike, Mimikatz, ProcDump, AdFind, and WinPEAS, the group conducts credential theft, privilege escalation, lateral movement, and data exfiltration.

via dark readingdarkreading.com
UNC2447

...UNC2447 has been observed using the following tools: ADFIND, BLOODHOUND, MIMIKATZ...

via mandiant threat intelligencecloud.google.com
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence1
TacticResource Development

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Stealth

1 technique
T1070.004File DeletionEvidence1
TacticStealth

Files pertaining to the threat actor’s post exploitation activities such as reconnaissance of the internal network, were deleted to hinder forensic analysis efforts.

Discovery

10 techniques
T1016System Network Configuration DiscoveryEvidence12
TacticDiscovery

The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.

T1018Remote System DiscoveryEvidence8
TacticDiscovery

Several actors used discovery tools such as BloodHound, AdFind, Advanced IP Scanner, SoftPerfect Network Scanner, NBTscan, RustScan, and SNScan for user, system, and network discovery.

T1033System Owner/User DiscoveryEvidence2
TacticDiscovery

Below is a basic example of how to use adfind.exe to pull user data... After obtaining a full list of users on the domain check for common weak passwords.

T1069Permission Groups DiscoveryEvidence1
TacticDiscovery

Commands such as net user /domain and net group /domain ... can list domain users and groups.

T1069.002Domain GroupsEvidence2
TacticDiscovery

adfind.exe -f "(objectcategory=group)" > ad_group.txt

T1082System Information DiscoveryEvidence1
TacticDiscovery

GeminiDuke focuses primarily on gathering details about the victim’s computer’s configuration.

T1087Account DiscoveryEvidence4
TacticDiscovery

ATT&CK Mapping The full TTP set observed in this intrusion mapped to the following ATT&CK techniques: Discovery T1087, T1482 Account / Domain Trust Discovery EID 4688 (nltest.exe, net.exe)

T1087.002Domain AccountEvidence4
TacticDiscovery

T1087.002 - Domain Account Description from ATT&CK. Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

T1482Domain Trust DiscoveryEvidence13
TacticDiscovery

Domain Trust Discovery [T1482]: Can involve the use of custom scripts or tools like AdFind to gather information on domain trust relationships and identify ways for a threat actor to move lateral movement

T1518Software DiscoveryEvidence1
TacticDiscovery

edr-win-disc-adfind-enum

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha1●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app
industrialcyberNews
Feb 3, 2026
Health-ISAC reports 55% surge in cyber incidents in 2025, as attacks rise and escalation looms in 2026 - Industrial Cyber

Active Directory reconnaissance tool used to enumerate and query AD objects; leveraged post-compromise to map environments and identify targets for lateral movement.

Read more
dark readingNews
May 7, 2025
Play Ransomware Group Used Windows Zero-Day

Active Directory enumeration tool abused by Play/Balloonfly for discovery in victim environments prior to ransomware deployment.

Read more
sentinelone labsNews
Apr 11, 2025
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor | SentinelOne

Active Directory query utility used for reconnaissance/AD enumeration; in these intrusions it is used in an obfuscated form to inventory domain computers and related attributes.

Read more
arctic wolf blogNews
Oct 24, 2024
Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN - Arctic Wolf

Active Directory discovery tool used to enumerate directory objects/trusts to support targeting and lateral movement.

Read more
+18 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution10

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.