{ "id": "480d5750-1822-4f4d-826b-7276911c175a", "created_at": "2026-04-06T00:21:44.078538Z", "updated_at": "2026-04-10T03:31:17.763356Z", "deleted_at": null, "sha1_hash": "eebe1adebc5f74ddbb477a1215fd277b8f33051b", "title": "AdFind", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 77122, "plain_text": "AdFind\r\nArchived: 2026-04-05 16:46:57 UTC\r\nSummary\r\nCommand line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget\r\ntools with a ton of other cool features thrown in for good measure. This tool proceeded\r\ndsquery/dsget/etc by years though I did adopt some of the useful stuff from those tools.\r\nWarranty\r\nSee warranty.\r\nPlatforms\r\nWindows 7 / 2008 R2 or newer against any version of Active Directory, ADAM/ADLDS, and other LDAP\r\ndirectories\r\nCurrent Version\r\nVersion 1.62.00 - October 13, 2023\r\nModification(s) from previous version\r\nMisc\r\nFixed a crash bug introduced when bringing up to functionality par with private joe only LDAP\r\nquery tool\r\nSecurity Requirements\r\nThere are no local security requirements for running AdFind other than the ability to launch\r\nexecutables. Information returned from Active Directory and ADAM/ADLDS will be dependent on the\r\nsecurity configured for the directory. Generally a normal Active Directory user can return a\r\nconsiderable amount of information from Active Directory while ADAM/ADLDS tends to be more\r\nlocked down.\r\nThe -showdel option will require permissions to see into the cn=Deleted Objects container. By default,\r\nthis requires administrator permissions. It can be modified but it is non-trivial for most admins.\r\nThe STATS control options (stats, stats+, statsonly, stats+only, etc.) require the user to have\r\nDEBUG_PRIVILEGE on the server being queried. This generally means admin access is required to\r\nuse that functionality.\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nPage 1 of 9\n\nThe -sdna (Security Descriptor Non-Admin) or -nosacl options can be used to tell LDAP to not return\r\nthe SACL portion of the ACL. This will allow users without auditing rights to retrieve most of the\r\nSecurity Descriptor of an object. Specifically, the Owner, Group Owner, and DACL information will be\r\nreturned. If you attempt to use -sddl,-sddc,-owner* options and you don't get the information returned,\r\nadd the -sdna option to see if that helps.\r\nThe biggest news around AdFind in the last few years (2020+), the hacker collectives have really taken\r\na liking to it and the AV / Antimalware companies that still, STILL, have no better tools and\r\nmechanisms than to block whole binaries because they might be used in a bad way have decided that\r\nAdFind, as a PUP (potentially unwanted program), should be blocked outright instead of use more\r\nintelligent mechanisms to see maybe what it is actually doing (like enumerating all objects in the\r\nDirectory and alerting on that). This has made it challenging for people to download and run the tool\r\nwithout working with their Internet Security and EndPoint Security teams in their companies. I am\r\nsorry for the stupid out there but there really isn't much I can do about this. The cluelessness in the\r\nAV/Antimalware companies and in some corporate Security teams is well beyond my ability to correct.\r\nAs I figure things out about how to bypass the controls etc in place to block AdFind I will share on the\r\nblog, https://blog.joeware.net. The AV and anti-malware companies are probably a lost cause, but\r\nperhaps you can show your corporate Security folks this page and also how useful the tool is for you to\r\ndo your work and perhaps you will be able to convince them. I have generally found that Security folks\r\nwho are actually trying to be secure and have a solid knowledge and understanding of security and\r\nactually accurately understand what a PUP or PUA is in the ratings without having to look it up will\r\ngenerally whitelist the tool if you really explain how useful it is for you to them. The fact that the\r\nhacker collectives like the tool speaks to its power and capability for knowledgable admins. If you have\r\nSecurity folks who feel blocking AdFind is the right model and aren't also blocking DSQuery,\r\nLDAPSearch, PowerShell, and ADSI really don't actually understand the problem space all that much.\r\nIf you would like for them to contact me about it, tell them to hit me up at support@joeware.net and\r\nexplain the issue they have with the tool and I will try to explain why it shouldn't be an issue though I\r\ndoubt there will be much I can say to them that they couldn't google and find out on their own if they\r\nwanted to.\r\nLanguage\r\nC++. Compiled with Visual Studio 2022\r\nSource Code Availability\r\nNone\r\nStory\r\nAdFind was put together when I finally got sick of the limitations in ldapsearch and search.vbs and\r\ndidn't want to continue writing quick vbscript solutions every time I needed some generic info. Plus,\r\nanyone will tell you vbscript doesn't handle several of the attributes in Active Directory very well.\r\nEventually after I had this tool out there for some time, Microsoft introduced dsquery and dsget. While\r\nthey are nice tools, AdFind continues to be more flexible and I rarely, if ever, use the ds* tools. I did,\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nPage 2 of 9\n\nhowever, like the ability to pipe the quoted DN results from the query into other command line tools so\r\nI emulated that functionality from the ds* series with AdFind with the -dsq option. One day I realized\r\nthat I could take the piping one step further and worked out the -adcsv option which when combined\r\nwith AdMod is extremely powerful for performing updates on AD. \r\nV01.31.00 added a bunch of new changes, some of these changes include shortcut options. You can\r\nview information on the shortcut options with the new help screen available through /sc?. The story\r\nbehind these shortcut options is that there were queries I was doing on a regular basis that I hated typing\r\nup the whole command for, for example, one of my most common queries is to check a schema object\r\nfor its definitions which would normally take the command adfind -schema -f \"|(name=objectname)\r\n(ldapdisplayname=objectname)\" and now it is as simple as adfind -sc s:objectname. Another common\r\none for me is listing all of the schema objects with a specific prefix which normally would look like\r\nadfind -schema -f \"|(name=prefix*)(ldapdisplayname=prefix*)\" -sort -list ldapdisplayname and now it\r\nis adfind -sc sl:prefix*. Anyway there are a ton of shortcuts, have fun.\r\nV01.40.00 finally added an often requested feature - the ability to pipe the output from one AdFind\r\ncommand as the input for the BASE DN for another AdFind command, this allows things like\r\nrequesting constructed attributes that require a base scope query for all users in an OU or the entire\r\ndirectory with a single command line or counting the number of users in every OU in the directory.\r\nV01.47.00 added a beta switch -nopaging which turns off the default LDAP Paging option. This should\r\nmake it so AdFind can be used against LDAP directories that do not support the paging control. In\r\nV01.48.00 this switch auto-enables itself when it detects a directory that doesn't indicate paging is a\r\nsupported capability in the RootDSE.\r\nV01.52.00 added some beta Regular Expression (regex) functionality. See -regex? usage for more\r\ninformation.\r\nAdd-Ons\r\nADCSV.PL - Perl script to convert a full ADFIND output dump to CSV style format. Included in ZIP\r\nfile for AdFind. No I will not rewrite this in vbscript. I dislike vbscript. I have received a couple of\r\nvbscript scripts to do this, I will not include them as I will only include stuff that I have written so I am\r\nonly answering questions on stuff I wrote. If you only need to export specific attributes, specify those\r\nattributes and use the -csv option to get CSV output natively.\r\nDownload\r\nYou do not have to supply the email address. I would like you to fill that in though so that I have an\r\nidea on how popular a tool really is. If I see 1000 downloads with 900 different email addresses I know\r\nit is more widespread than one that has 1000 downloads and 200 different email addresses because the\r\nsame person needed to keep downloading it for some reason.\r\nNOTE: The AV/Malware companies are being morons blocking AdFind. Please see\r\nhttps://blog.joeware.net/2023/02/22/6166/\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nPage 3 of 9\n\nNOTE2: I have added a zip password for AdFind.exe in the zip, open the zip file and look in\r\npassword.txt which isn't password protected.\r\nVersion History\r\nUpdate: Version 1.02.00 - Decode more GUID attributes, maintains attribute name case versus converting\r\nto lowercase, convert non-print chars to ?.\r\nUpdate: Version 1.03.00 - Changed how I identified what was a single value SID or GUID field for\r\ndecoding. Seems MS decided to make a couple of GUID fields that were actually UNICODE strings octet\r\nstrings. I got bit by it when working on a little project to do programmatic AD ACL enumerations from a\r\nperl script.\r\nUpdate: Version 1.04.00 - Added option to allow changing timeout value, also increased page timeout\r\ndefault to 120 seconds from 60 seconds. Added bitwise filter conversion option which will convert simple\r\nstrings to bitwise OID values. Changes some of the error handling because some error messages weren't\r\nseeing the light of day such as bad filter or timeout errors.\r\nUpdate: Version 1.05.00 - Added anonymous connection capability. Also added Simple authentication\r\ncapability\r\nUpdate: Version 1.06.00 - Changed -dn and -c options to not return values unless specifically asked for.\r\nUpdate: Version 1.07.00 - Added more SID/GUID attributes for decoding. Most specifically for Exchange\r\n2000.\r\nUpdate: Version 1.08.00 - Added more SID/GUID attributes for decoding. Most specifically for Dot NET\r\nDomains.\r\nUpdate: Version 1.09.00 - Attempting to read schema to determine binary/GUID/SID attributes. Display\r\nBinary Info as HEX. Also fixed some bad memory management I was doing during count and DN only\r\noperations. You should notice that less memory being used for these operations.\r\nUpdate: Version 1.10.00 - Added No referrals option (-nr). Added Page size option (-ps)\r\nUpdate: Version 1.11.00 - 02/23/2003 - Added port option (-p)\r\nUpdate: Version 1.12.00 - 05/24/2003 - Fixed a bug in the -BIT option with OR. Also added -default, -root,\r\n-schema, -config that can be used instead of having to specify the full DN for those partitions with -b.\r\nUpdate: Version 1.13.00 - 12/01/2003 - Never publicly released, fixed a small bug.\r\nUpdate: Version 1.14.00 - 04/10/2004 - Added decode sid option (-sddc), added dsquery style output for\r\nDeano (-dsq), added elapsed time counter (-elapsed), added sort (-sort) and reverse sort (-rsort), added\r\nshow deleted objects (-showdel) which inserts the deleted objects display OID into the server control,\r\nadded new parameter validation system I worked up for oldcmp.\r\nUpdate: Version 1.14.01 - 04/11/2004 - Added a line outputting the full SDDL string for security\r\ndescriptors because ~Eric asked for it. :o)\r\nUpdate: Version 1.15.00 - 04/24/2004 - Fixed an issue with the elapsed time option, it was really screwed\r\nup. ;o)\r\nUpdate: Version 1.16.00 - 05/20/2004 - Change for internal attrib identification for display. Took into\r\naccount defunct attribs.\r\nUpdate: Version 1.17.00 - 05/29/2004 - Added several new options: /stats, /stats+, /statsonly, /stats+only -\r\nall of these are for displaying LDAP STATS info on Windows 2003 AD. They will help you determine how\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nPage 4 of 9\n\nefficient a given query is. Some additional options: /extname which will give you the GUID and SID bind\r\nDNs as well as the regular DN, /exterr which will display some additional error info - specifically dsid\r\ncodes which PSS likes to see. I also added some additional functionality that works all the time and that is\r\nclosest match display if you specify a bad base DN and also it will display any referrals generated.\r\nUpdate: Version 1.18.00 - 07/05/2004 - Fixed a leak in the ldap result section added last version. Fixed a\r\nbug in the Stats section on how it displayed the bitewise AND|OR. Fixed the display of deleted objects.\r\nYou will note that you usually have a new line in the middle of the name and cn fields with K3 and also the\r\nDN and distinguishedName fields in 2K. MS fixed the DN for K3 but missed the others, I catch them all.\r\nUpdate: Version 1.19.00 - 08/09/2004 - Fixed a bug with decoding of lastLogonTimestamp. Fixed a bug\r\nwhere you couldn't use -root. Added relative base option (-rb). Added -binenc option, this allows you to\r\nspecify guids and sids in nice human format in a query and it will convert it (ex: objectsid={{sid:S-1-5-21-\r\n3593593216-2729731540-1825052264-1105}}). Add excl option to exclude display of certain attribs. I\r\nalso added some code to catch what appears to be a bug in AD. Occasionally STATS control will return a\r\nDWORD value where it should return an OctetString. This was throwing exceptions in AdFind. Now it\r\nwill capture it and set the bad values to be \"\".\r\nUpdate: Version 1.20.00 - 08/10/2004 - Found out more about STATS bug, added additional usage info and\r\nthrow up a message when it occurs. MS requires DEBUG_PRIVILEGE on the DC in order to returns\r\nSTATS info.\r\nUpdate: Version 1.21.00 - 09/05/2004 - Fixed division by zero error, fixed some usage text.\r\nUpdate: Version 1.22.00 - 09/18/2004 - Added -selapsed, fixed bug in -sddl, added ldap directory\r\ndetermination capability\r\nUpdate: Version 1.23.00 - 09/22/2004 - Added lockoutTime to list of time values to be decoded\r\nUpdate: Version 1.24.00 - 09/30/2004 - Recompiled to remove Debug info\r\nUpdate: Version 1.25.00 - 12/10/2004 - Added several options -\r\nmaxe,sddl,kerbenc,ff,samdc,excldn,excldndelim. Port can be specified in -h option. -sddc functionality\r\nchanged to not append nTSecurityDescriptor attribute if attribs are specified. Dot (.) specified for -h gets\r\ntranslated to localhost.\r\nUpdate: Version 1.25.01 - 12/10/2004 - Missed cleaning up some debug statements from 1.25.00.\r\nUpdate: Version 1.26.00 - 02/12/2005 - Fixed stats bug. Fix stats base search message bug. Fixed bug in \"-\r\nh .\". Fix bug in ranging for K3. Added -nodn,-nolabel,-noctl,-owner,-owneronly,-ownercsv,-sdna.\r\nUpdate: Version 1.27.00 - 11/05/2005 - Fixed bug in stats filter expansion. Decode msDS-User-Account-Control-Computed with -samdc. Add TZ string for -tdc(s). Added port info on host connection output info.\r\nBroke help up. Added -pr, -list, -soao, -oao,-csv, -csvdelim, -csvmvdelim, -csvq, -nocsvheader, -incldn, -\r\nincldndelim, -e, -ef, -tdcs, -utc, -po.\r\nUpdate: Version 1.28.00 - 12/21/2005 - Fixed bug in stats, fixed bug in usage display, fixed bug in counting\r\nfor -incldn.\r\nUpdate: Version 1.29.00 - 12/22/2005 - -up * will now query user for password so you don't have to specify\r\non command line\r\nUpdate: Version 1.30.00 - 01/29/2006 - Bug fix for multivalue sid/guid attribs. Fixed /??? usage bug.\r\nAdded -ssl, -null, -flagdc, -sl, -adcsv. Added logic to prevent logonWorkstations from being displayed in\r\nHEX.\r\nUpdate: Version 1.30.01 - 01/31/2006 - Fixed small bug with usage.\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nPage 5 of 9\n\nUpdate: Version 1.31.00 - 03/22/2006 - Added /???? shortcut help menu describing a ton of shortcuts which\r\nwill not be listed here. Fixed Decode issue with msDS-User-Account-Control-Computed. Decode some\r\nmore flags/values. Decode more attributes - msDS-Behavior-Version, msDS-Cached-Membership, msDS-Cached-Membership-Time-Stamp, msDS-Site-Affinity, retiredReplDSASignatures, msDS-RetiredReplNCSignatures. Properly handle requested binary format ;binary. Added support for \\t for\r\ndelimiter switches so you can specify tab delimited. Added options for -binenc to encode int8 time format\r\nusing {{utc:}} and {{local:}}. Officially added (unhid) shortcut options (-sc xxx:yyy), see /????. Added -\r\nschdc, -rootdse, -rootdsefull, -alldc (all decode), -replacedn, -replacedndelim, -sitenamedc, -resolvesids, -\r\nsddc+/-sddl+, -rawsddl, -mvfilterdelim, -mvfilter, -mvnotfilter, -sidbinout, -guidbinout, -asq, -decutc, -\r\ndeclocal, -encutc, -enclocal\r\nUpdate: Version 1.32.00 - 10/01/2006 - Fixed several bugs, added subnets and exch to DN Replace option,\r\nAdded support to decode longhorn mode values, Expanded partitions msDS-Behavior-Version decoded on,\r\nDecode defaultSecurityDescriptor, Changed usage switches around - see adfind /?, Added switches -\r\nsddl++, -sddlfilter, -sddlnotfilter, -recmute, -noowner, -nogroup, -nodacl, -nosacl, -decsddlacl, -tdca, -tdcas,\r\n-tdcgt, -tdcgts, Allow ACEs in SDDL+/SDDL++ output to be filtered with -mvfilter, Fixed -maxe so it\r\nworks for values \u003e1000, Increased buffer size of -ef and -ff options to 10MB, Special Exchange specific\r\ndecode of msExchMailboxSecurityDescriptor with sddl+, Added shortcuts listpropsets, listpropsetsl,\r\nlistpropsetscsv, listvwrites, listvwritesl, listvwritescsv, listxrights,listxrightsl,listxrightscsv,exchmbxs,\r\nexchme, sdfilter, sdfilterns, explaces\r\nUpdate: Version 1.33.00 - 10/30/2006 - Updates usage, fixed -sc u bug, mod to -decsddlacl, more timers for\r\n-selapsed, Added INCHAIN/NEST for -bit, added -exterr option for more error points.\r\nUpdate: Version 1.34.00 - 11/13/2006 - Fixed bug in filtered SDDL output, added -qlist, -onlysacl, -\r\nonlydacl\r\nUpdate: Version 1.35.00 - 01/06/2007 - Fixed bug in -onlydacl, added shortcut DomainNCs, fixed bug in -\r\nsddl flag output, changed decode output for ACL Flag for -sddl+, added -onlydaclflag -onlysaclflag -\r\nonlyaclflags\r\nUpdate: Version 1.36.00 - 02/24/2007 - Added switches: -nrss, -resolvesidsldap, -csvnoq, -gcb, -mvfiltercs,\r\n-scexchnosys, -sdsize, -sdsizenl, -metasort. Added the following shortcuts: exchsmtpaddr,\r\nexchprimarysmtp, objmeta, objsmeta, legacylvr, legacylvrs, legacygroupmembers, replqueue, ncrepl.\r\nUpdated switches:-rootdse, -fullrootdse. Updated shortcut: exchme. Decode attributes: supportedExtension,\r\npwdProperties. Decode ;binary form of attributes: msDS-ReplAttributeMetaData, msDS-ReplValueMetaData, msDS-NCReplCursors, msDS-ReplConnectionFailures, msDS-ReplLinkFailures,\r\nmsDS-NCReplInboundNeighbors, msDS-NCReplOutboundNeighbors, msDS-ReplAllInboundNeighbors,\r\nmsDS-ReplAllOutboundNeighbors, msDS-ReplPendingOps, msDS-TopQuotaUsage\r\nUpdate: Version 1.37.00 - 06/24/2007 - Added new special base switches: forestdns, domaindns, gpo,\r\npsocontainer, ldappolicy, xrights, partitions, sites, subnets, exch, dcs, fsps. Added new switches:\r\nnoautoranging, onlyaclprot, onlyaclunprot Added the following shortcuts: rodcpas, rodcpasl, !rodcpas,\r\n!rodcpasl, export, sddldmp, sddlmap, sitedmp, subnetdmp, gpodmp, fspdmp, oudmp, showmeta,\r\nshowmetas. Updated switches:-replacedn. Decode more time/interval valuesDecode attributes: options,\r\nmS-DS-ReplicatesNCReasonUpdated some of the decode functions for Longhorn (aka Windows Server\r\n2008) values Updates STATS to work properly with Longhorn Fixed multiple usage typosFixed bug with -\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nPage 6 of 9\n\nmvfilterStreamlined some of the shortcutsSped up SID resolution (especially in cases where LDAP\r\nconnection but no RPC connection)Changed \"Coordinated Universal Time\" in time decode to UTC.\r\nUpdate:Version 1.38.00 - Never publicly released\r\nUpdate: Version 1.39.00 - 01/10/2009 - Now compiled with Code Gear C++ Builder 2009, smaller and\r\nfaster executable. Changed Windows Longhorn references to Windows Server 2008. Updated decoded\r\nattributes to account for Windows Server 2008 values. Added additional decoded attributes. Multiple bug\r\nfixes. Multiple shortcut fixes. Multiple usage screen typo fixes. -csv now also sets -noctl automatically. -sc\r\nsdump sorts multivalue attributes included in return set. Arbitrary text column mode for -csv (see -csv?). -\r\nrawsddl no longer requires -sddl. Auto-Ranging disabled for any attributes where the range modifier was\r\nspecified. Assume -default if no base specified. -mvfilter string matching is made without any modifiers in\r\nthe returned attribute. I.E. Match on someattrib not someattrib;binary. Added more attributes to be returned\r\nfor -fullrootdseAdded. New switches: rootdseanon, nirs, nirsx, writeable, sslignorecert, mvsort, mvrsort,\r\nfilterbreakdown, enccurrent, tdcd, inputdn. New shortcuts: admincountdmp, xrdump, dcdmp, adobjcnt,\r\nalldc+, users_disabled, users_nonexpiring, users_pwdnotreqd, users_accexpired, computers_disabled,\r\ncomputers_pwdnotreqd, computers_active, computers_inactive, schver, spn, email, site, subnet, syscrit,\r\nrodc_cachable, policies\r\nUpdate: Version 1.40.00 - 02/13/2009 - AdFind now accepts multiple DNs for BASE paramter through\r\nSTDIN piping.Enable -alldc+ switch that was added in V01.39.00Fixed Misc usage typosAdded Windows\r\nServer 2008 R2 decode constantsAdded \"default\" -e and -ef type functionality (i.e. default environment\r\nvariables or default config file that are always processed)Added new switches: -csvqesq, -extsrvinfo, -\r\nsrvctls, -showdelobjlinks, -showrecycled, -showdel+, -tdcdshort, -ic, -db, -ictsv, -stdinsort, -subsetAdded\r\nnew shortcuts: -sc trustdmp, -sc ou:xx\r\nUpdate: Version 1.41.00 - 02/13/2010 - Multiple bug fixes, switches, logic, shortcuts, and docs. Added\r\ndecodes for linkID, msDS-OptionalFeatureFlags, msDS-RequiredForestBehaviorVersion, msDS-RequiredDomainBehaviorVersion, and some K8R2 Decodes for existing decoded attributes. Additional\r\nwork on the Environment (-e and -ef) functionality. Added new switches: -arecex, -digest, -this, -jtsv, -\r\nusers, -displayspecifiers, -nocsvq, -csvnoheader, -hh, -hd, -tdcfmt, -tdcsfmt. Added new shortcuts: -sc\r\nreplstat, -sc getacl, -sc getacls Added ;class and ;attr modifiers to shortcuts -sc s and -sc sl.\r\nUpdate: Version 1.42.00 - 04/24/2010 - Fixed port bug in -rootdseanon, Fixed -adcsv header bug, Fixed\r\nbug in schema OID retrieval, Added -decint, -metafilter,-metafilterattr,-metafilterval, -statsonlynodata,-\r\nstats+onlynodata,-ameta,-vmeta switches, Added more fields for stats output for 2008+, Changed the\r\ndecode of -9223372036854775808,Added -sc dompol shortcut\r\nUpdate: Version 1.43.00 - 02/13/2011 - Decode more attributes. Fixed multiple usage typos. Modified how\r\nseveral shortcuts functioned to allow CSV, also fixed a few bugs, probably added a few more. ;) Fixed\r\nseveral bugs around handling improperly formatted input. Attempted to fix cut/paste bug from\r\nOutlook/Word for doublequote and dash. Enabled -stats with -c. Fixed bug in time output for 00/00/00.\r\nFixed hang bug with processing VERY LARGE groups for CSV. Fixed UTC error in -declocal. Added\r\n%int8% for -tdc(s)fmt. Added ENCPWD: format for -up switch. Added -objfilefolder, -encpwd switches.\r\nAdded shortcuts adam_info, adam_fo, adam_u, adam_g, adam_ou, adam_email, adam_spn, dclist,\r\nexport_*. Added _attr and attr- functionality for most shortcuts\r\nUpdate: Version 1.44.00 - 03/03/2011 - Fixed paging bug for non-MSFT LDAP directories. Decode some\r\nOpenLDAP RootDSE OIDs.Add -nopagingcheck switch. Fixed output bug in value metadata. Removed\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nPage 7 of 9\n\nnTSecurityDescriptor from -sc export_* shortcuts. Added shortcut -sc domainlist. Disallow combination of\r\nspecial base and -b switch. Changed switches behind shortcut -sc dclist to be more flexible. Added ability\r\nto -sc gclist, -sc !gclist.\r\nUpdate: Version 1.45.00 - 03/15/2011 - Fixed bug in -tdcdshort\r\nUpdate: Version 1.46.00 - 02/xx/2012 - Fixed bug in decoding binary attributes. Fixed bug in -tdcsfmt.\r\nFixed base bug in -sc objsmeta. Fixed multiple bugs around CSV quoting. Fixed typoes in usage. Fixed\r\nbugs in dsheuristics decode, Added dynamic determination of int8 time and interval attributes. Better error\r\nmessage when folder doesn't exist for -objfilefolder. Error out if multiple special based used. Fixed -sc\r\ndcdmp:csv, added objectsid as well. Changed -sc adobjcnt such that -gc is no longer specified. Modified -sc\r\npolicies. Added decodes for Win8. Decode msDFSR-Flags. Allow you to specify filter for -ameta and -\r\nvmta. Added following switches -int8time, -int8time-, -dpdn, -pdn, -pdnu, -pdnq, -pdnuq, -statsnofilter, -\r\ncsvxl, -exportfile,-cv. Added shortcut -sc adinfo.\r\nUpdate: Version 1.47.00 - 10/31/2012 - Fixed bugs with -this,-ameta,-vmeta. Changed Win8 decodes\r\nstrings to Windows 2012. Added switch -nopaging. Added shortcut -sc ridpool.\r\nUpdate: Version 1.48.00 - 1/17/2015 - Fixed a bunch of bugs. Added a bunch of decodes.Tweaked various\r\nshortcuts to increase speed, etc. Allow duplicate attributes to be specified for CSV output (broken a few\r\nversions back). Added IPv6 addressing format support for -h/-hh switches. Auto-enable -nopaging when\r\nnecessary. Added ability to use SID/GUID/IID for BaseDN. Added additional constants for -replacedn.\r\nAdded :dnwdata:= matching rule. Added BASE64 for -binenc. Added Hex/Base64 modifiers for -sidbinout\r\nand -guidbinout. New special bases: -sitelinks, -legacydns, -quotas. Added shortcuts -sc sitelinkdmp, -sc\r\nsitelinkdmpl. Added switches -exclrepl, -ametal, -vmetal, -fdnx, -encguidtoiid, -deciidtoguid, -\r\nobjcnterrlevel, -stripdn\r\nUpdate: Version 1.49.00 - 02/28/2015 - Fixed bug in -dloid\r\nUpdate: Version 1.50.00 - 05/04/2017 - Ported to Visual Studio 2017. Change CHAR based functions to\r\nsafeR (_s) versions. SID Resolution speed greatly increased Security Descriptors. Schema OID query\r\nincreased to 1K page size (faster startup). BUGFIXES: Fixed auto-nopaging, -sddl+ fixed\r\n***INVALID*** incorrectly displayed in decoded ACL, dsHeuristics decode bug, Fixed CanonicalName\r\ncontaining \\0A causing newline, Removed -sc gclist (didn't work). Threshold Decodes changed to\r\nWindows Server 2016. Additional dsHeuristics decodes. Decode msDS-ReplAuthenticationModeDecode\r\nmsds-revealedusers. Changed ADAM to ADLDS. Added switches -appver, -dplsids, sslinfo, -tdcda, -\r\ntdctzstr, -csvconnerr. Added aliases for -sc schemadmp=sdump, -sc xrdmp=xrdump. Added \"short\" option\r\nto -sc dclist.Added utcgt/localgt for -binenc.Added special bases -prb, -ds, -svcs, -delobjs, -delobjs+, -roles.\r\nThe -rb switch works with piped in dns now.\r\nUpdate: Version 1.51.00 - 10/31/2017 - Fixed number of small bug fixes / memory leak fixes related to\r\nBorland Builder C++ to VS 2017 conversion, Preloaded Security Descriptor OIDs, For PSISE if stderr\r\nredirect send header to stdin, Added Bulk SID resolution to SID atts, Added garbageCollPeriod to policies,\r\nDecode msDS-TrustForestTrustInfo (-samdc), Added more attributes to -fullrootdse, Updated time/sid\r\nattributes hardcode, Brought back the mainicon, Added fgppcontainer alias for psocontainer, Decode\r\nwellknownobjects/otherwko, Decoded dSASignature, msExchRemoteRecipientType,\r\nmsExchRecipientDisplayType, msExchRecipientTypeDetails, Fixed jtsv/2 to use -csv xx value, Added -\r\nametanl, -vmetanlAdded -jsd, -jsdnl, -jsde, -jsdenl, -url, -sddl+++/-sddc+++,-sddl3 alias for sddl+++, -\r\nmetamvcsv, -metamvcsva, -metamvcsvv, -binsize xx, -binsizenl xx, -adminrootdse, Changed dcdmp filter\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nPage 8 of 9\n\nto dclist filter, Added dn to -sc dclist:xx, Added shortcuts cexplaces,caclnoinherit, structdmp/dump,\r\nfgpps/psos\r\nUpdate: Version 1.52.00 - 01/11/2020 - Ported to Visual Studio 2019 and a whole lot more.\r\nUpdate: Version 1.53.00 - 01/01/2021 - Lots of fixes, no longer listing details here. :)\r\nUpdate: Version 1.54.00 - 01/19/2021 - Bug fixes\r\nUpdate: Version 1.55.00 - 03/14/2021 - More bug fixes and some performance increases\r\nUpdate: Version 1.56.00 - 04/23/2021 - More bug fixes and additions\r\nUpdate: Version 1.57.00 - 11/12/2021 - Ported to Visual Studio 2022, more bug fixes and additions\r\nUpdate: Version 1.58.00 - 03/07/2022 - Not released to the Public\r\nUpdate: Version 1.59.00 - 05/06/2023 - Bug fixes, usage fixes, -c2,-upto switches added\r\nUpdate: Version 1.60.00 - 05/06/2023 - Private build\r\nUpdate: Version 1.61.00 - 10/08/2023 - Functionality Par with joe internal only tool, random bugfixes etc\r\nUpdate: Version 1.62.00 - 10/13/2023 - Bug fix of crash bug introduced in V01.61.00\r\nAs seen in\r\nActive Directory Third/Fourth Edition/Fifth Edition - O'Reilly Publishing\r\nActive Directory Cookbook Second/Third Edition/Fourth Edition - O'Reilly Publishing\r\nhttp://www.jsiinc.com in tips and tricks\r\nWindows IT Pro Magazine\r\nThousands of blog posts.\r\nThousands of newsgroup and web forum postings.\r\nThousands of ActiveDir Org postings.\r\nMany articles and presentations about Hackers performing AD Recon and IR Teams working to catch them\r\n;)\r\nUsage\r\n    Download and type adfind /? for basic usage\r\nSee current usage screens\r\nSource: http://www.joeware.net/freetools/tools/adfind/\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "http://www.joeware.net/freetools/tools/adfind/" ], "report_names": [ "adfind" ], "threat_actors": [ { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434904, "ts_updated_at": 1775791877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eebe1adebc5f74ddbb477a1215fd277b8f33051b.pdf", "text": "https://archive.orkl.eu/eebe1adebc5f74ddbb477a1215fd277b8f33051b.txt", "img": "https://archive.orkl.eu/eebe1adebc5f74ddbb477a1215fd277b8f33051b.jpg" } }