joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

AdFind Enemy #1 for AV Tools

by @ 1:58 pm on 5/31/2021. Filed under tech

Ok not really enemy #1, but they are getting stupid about it.

Once again the AV Tool companies have their panties in a bunch over a joeware tool. Now it is AdFind. The digests on the website are accurate, I also uploaded it to virustotal before anyone but me had touched it so their digests are accurate as well.

https://www.virustotal.com/gui/file/929345d356424b35188a8bff6b71c7183e170554042276339085d3cc68435558/detection

One of the community comments is on point

“Sure, AdFind is a lolbin. But so are dsquery, dsget and cvsde. I’m concerned that the myriad PUP/PUA and GenericML have gone unchallenged for this valuable tool.”

Let me repeat one again, the joeware tools aren’t malware. The issue is that hackers like joeware because the joeware tools do a lot of stuff faster and better than anything else.

No I am not going to debate it with the AV/Malware companies. I learned a long ago that it is absolutely pointless. They are generally clueless when you speak to them and it isn’t worth my frustration to deal with them. Your options are to override your AV/Malware tools locally (and complain to your AV/Malware company that they forgot to mark dsquery, dsget, csvde, ldifde, ldapsearch, ADSI, PowerShell, and anything else that can submit LDAP search queries as malware) or to not use the tool.

I have also heard about SOCs / IR Teams that have gotten trigger happy with AdFind as well figuring every occurrence of it is a bad guy trying to do something without intelligently looking at the queries and trying to figure out does this really look like an attack?? You will have to work with them too if they start doing that. Most of them are quite reasonable when you explain the use of the tool and what you are doing. For those that are picking up on AdFind usage via command line scraping I even recently added an undocumented null switch for folks if they want to use it which can be used to send a code/message to SOC/IR. That switch is called –SOC. It does nothing at all except allow you to type in an arbitrary message that you want SOC/IR to see if they are monitoring your command line journeys. For example:

[Mon 05/31/2021 13:31:45.46]
E:\DEV\cpp\vs\AdFind\Release>adfind -h lockout.test.loc -ldappingex -soc "CompanyID2021"

AdFind V01.56.00cpp Joe Richards (support@joeware.net) April 2021

Using server: LO-DC3.lockout.test.loc:389
Directory: Windows Server 2016

dn:
> OpCode: 0x17
> Flags: 0x3F1FD
> Flags: DS_PDC_FLAG
> Flags: DS_GC_FLAG
> Flags: DS_LDAP_FLAG
> Flags: DS_DS_FLAG
> Flags: DS_KDC_FLAG
> Flags: DS_TIMESERV_FLAG
> Flags: DS_CLOSEST_FLAG
> Flags: DS_WRITABLE_FLAG
> Flags: DS_FULL_SECRET_DOMAIN_6_FLAG
> Flags: DS_WS_FLAG
> Flags: DS_DS_8_FLAG
> Flags: DS_DS_9_FLAG
> Flags: DS_DS_10_FLAG
> Flags: DS_KEYLIST_FLAG_JW
> DomainGuid: {56AD59A0-75A9-4ED4-B22A-1C987461A917}
> DnsForestName: lockout.test.loc
> DnsDomainName: lockout.test.loc
> DnsHostName: LO-DC3.lockout.test.loc
> NetbiosDomainName: LOCKOUT
> NetbiosComputerName: LO-DC3
> UserName: [EMPTY]
> DcSiteName: SITE2
> ClientSiteName: SITE2
> NextClosestSiteName: Default-First-Site-Name

1 Objects returned

Unfortunately the way the keystroke logging usually works when they are doing that it won’t catch environment variable predefines because they only watch what is typed… So if you had set something like

set joeware-default-adfind-soc=CompanyID2020

It wouldn’t be picked up. Sad really because then it would be child’s play to allow actual proper users to flag things to the SOC/IR as it would be unlikely that the bad actors would know to do it, well unless they were so deep into your environment that they watched you do it to lol. And some of you… Guess what, they are.

As an aside, over the years I have seen several cases where IR people were targeted by the hackers because they now often have some of the widest access to things and if you can pop an IR person you probably own most of the environment then and can also get into all of the tools watching everything. That is another reason why, IMO, IR people shouldn’t have admin rights to anything, they should have to reach out to the people who own the support for things to get their assistance. That is how we used to do it back in the day.

    joe

Rating 4.57 out of 5

Comments are closed.

[joeware – never stop exploring… :) is proudly powered by WordPress.]