Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 10 actors

ADFind

AdFind is a legitimate command-line Active Directory query utility from joeware.net that is frequently abused as a dual-use post-compromise reconnaissance tool in Windows enterprise environments. The provided content consistently associates it with Active Directory discovery, including enumeration of domain users, domain groups, organizational units, domain trusts, computers, and broader system/network configuration information. It is mapped to MITRE ATT&CK-style behaviors including Domain Account Discovery, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, and System Network Configuration Discovery.

The content shows AdFind being used by multiple threat actors and in numerous intrusion sets and ransomware operations as part of reconnaissance and lateral movement preparation. Specifically mentioned examples include APT29/NOBELIUM during the SolarWinds compromise, Dark Halo/UNC2452-related activity investigated by Volexity, UNC2447, Akira affiliates, BlackByte, Mustang Panda, Lotus Blossom, Wizard Spider, and actors involved in Egregor and Play intrusions. In these cases, attackers used AdFind to query domain controllers, enumerate remote systems and hostnames, identify domain users and groups, and map Active Directory environments.

A notable example in the content is Volexity’s reporting that attackers used a file named sqlceip.exe which appeared to be Microsoft SQL Server Telemetry Client but was actually a renamed copy of AdFind. Microsoft also noted use of renamed AdFind during SolarWinds-related post-compromise reconnaissance against domain controllers. These references indicate a common masquerading pattern in which AdFind is renamed to blend into victim environments.

The content does not describe AdFind as self-propagating malware or a malicious implant; rather, it is a legitimate administrative utility commonly repurposed by adversaries for discovery. High-confidence indicators directly mentioned include the executable names ADFind.exe and a renamed sample observed as sqlceip.exe.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT29

The attacker also made use of a file called sqlceip.exe, which upon first glance might appear as the legitimate version of SQL Server Telemetry Client provided by Microsoft. However, Volexity determined this tool was actually a version of AdFind from joeware.net. AdFind is a command-line tool used for querying and extracting data from Active Directory.

via volexity blogweb.archive.org
Dark Halo

The attacker also made use of a file called sqlceip.exe, which upon first glance might appear as the legitimate version of SQL Server Telemetry Client provided by Microsoft. However, Volexity determined this tool was actually a version of AdFind from joeware.net. AdFind is a command-line tool used for querying and extracting data from Active Directory.

via volexity blogweb.archive.org
Mustang Panda

AdFind has the ability to query Active Directory for computers.

via mitre attack websiteattack.mitre.org
Andariel

...open-source and dual-use tools as used and/or customized by the actors: ... AdFind ...

via cisa alertscisa.gov
APT41

AdFind can enumerate domain users.

via mitre attackattack.mitre.org
Lotus Blossom

AdFind can enumerate domain users.

via mitre attackattack.mitre.org
+4 more in the app
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence1

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Stealth

2 techniques
T1036MasqueradingEvidence1

During the attack, threat actors renamed the tool from adfind.exe to a.logs in an attempt to evade detection.

T1070.004File DeletionEvidence1

Files pertaining to the threat actor’s post exploitation activities such as reconnaissance of the internal network, were deleted to hinder forensic analysis efforts.

Discovery

10 techniques
T1016System Network Configuration DiscoveryEvidence7

...collected Active Directory configuration (Domain Trust Discovery, T1482) and network information (System Network Configuration Discovery, T1016) via ADFind and netscanold.exe.

T1018Remote System DiscoveryEvidence10

AdFind – A publicly available tool that is used to query Active Directory. It has legitimate uses but is widely used by attackers to help map a network.

T1033System Owner/User DiscoveryEvidence2

Below is a basic example of how to use adfind.exe to pull user data... After obtaining a full list of users on the domain check for common weak passwords.

T1069Permission Groups DiscoveryEvidence2

Attackers query directories to extract sensitive information such as user accounts, group memberships and permissions... Some common types of LDAP enumeration that are important to monitor include: Admin enumeration: Queries targeting administrative accounts and privileges

T1069.002Domain GroupsEvidence1

adfind.exe -f "(objectcategory=group)" > ad_group.txt

T1082System Information DiscoveryEvidence2

The first step in a Black Basta compromise usually involves executing a uniquely obfuscated version of the AdFind tool... -f objectcategory=computer -csv name cn OperatingSystem dNSHostName

T1087Account DiscoveryEvidence5

Attackers query directories to extract sensitive information such as user accounts, group memberships and permissions... Some common types of LDAP enumeration that are important to monitor include: Admin enumeration... Service accounts enumeration...

T1087.002Domain AccountEvidence4

AdFind can enumerate domain users. APT41 used built-in net commands to enumerate domain administrator users. BloodHound can collect information about domain users, including identification of domain admin accounts.

T1482Domain Trust DiscoveryEvidence13

...collected Active Directory configuration (Domain Trust Discovery, T1482) and network information... via ADFind and netscanold.exe.

T1518Software DiscoveryEvidence1

edr-win-disc-adfind-enum

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha1●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app
industrialcyberNews
Feb 3, 2026
Health-ISAC reports 55% surge in cyber incidents in 2025, as attacks rise and escalation looms in 2026 - Industrial Cyber

Active Directory reconnaissance tool used to enumerate and query AD objects; leveraged post-compromise to map environments and identify targets for lateral movement.

Read more
dark readingNews
May 7, 2025
Play Ransomware Group Used Windows Zero-Day

Active Directory enumeration tool abused by Play/Balloonfly for discovery in victim environments prior to ransomware deployment.

Read more
arctic wolf blogNews
Oct 24, 2024
Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN - Arctic Wolf

Active Directory discovery tool used to enumerate directory objects/trusts to support targeting and lateral movement.

Read more
mitre attack websiteNews
Sep 24, 2024
Play, Group G1040 | MITRE ATT&CK®

AdFind is a directory-querying tool used for Active Directory enumeration and network/domain discovery.

Read more
+18 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution10

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.