Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.
Sigma rule (View on GitHub)
1title: Active Directory Database Snapshot Via ADExplorer
2id: 9212f354-7775-4e28-9c9f-8f0a4544e664
3related:
4 - id: ef61af62-bc74-4f58-b49b-626448227652
5 type: derived
6status: test
7description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.
8references:
9 - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-03-14
12tags:
13 - attack.credential-access
14 - attack.t1552.001
15 - attack.t1003.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\ADExplorer.exe'
22 - OriginalFileName: 'AdExp'
23 selection_cli:
24 CommandLine|contains: 'snapshot'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- Potential Russian APT Credential Theft Activity
- Suspicious Active Directory Database Snapshot Via ADExplorer
- Automated Collection Command Prompt
- Azure Key Vault Modified or Deleted
- Azure Keyvault Key Modified or Deleted