ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Sigma rule (View on GitHub)
1title: ADExplorer Writing Complete AD Snapshot Into .dat File
2id: 0a1255c5-d732-4b62-ac02-b5152d34fb83
3related:
4 - id: 9212f354-7775-4e28-9c9f-8f0a4544e664
5 type: similar
6status: experimental
7description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
8references:
9 - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
10 - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
11 - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
12 - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
13 - https://trustedsec.com/blog/adexplorer-on-engagements
14author: Arnim Rupp (Nextron Systems), Thomas Patzke
15date: 2025-07-09
16tags:
17 - attack.discovery
18 - attack.t1087.002
19 - attack.t1069.002
20 - attack.t1482
21logsource:
22 category: file_event
23 product: windows
24detection:
25 selection:
26 Image|endswith:
27 - '\ADExp.exe'
28 - '\ADExplorer.exe'
29 - '\ADExplorer64.exe'
30 - '\ADExplorer64a.exe'
31 TargetFilename|endswith: '.dat'
32 condition: selection
33falsepositives:
34 - Legitimate use of ADExplorer by administrators creating .dat snapshots
35level: medium
References
-
-
ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON. - GitHub - c3c/ADExplorerSnapshot.py at f700904de...
Read More -
Learn the tactics of Scattered Spider, a youthful hacker group deploying ransomware against major corporations using a diverse set of sophisticated social engineering, low and highly skilled attacks.
Read More -
This research was conducted by David Brown, Michael Matthews and Rob Smallridge from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group tl;dr This post des...
Read More -
Related rules
- Active Directory Database Snapshot Via ADExplorer
- Suspicious Active Directory Database Snapshot Via ADExplorer
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation