Suspicious Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
Sigma rule (View on GitHub)
1title: Suspicious Active Directory Database Snapshot Via ADExplorer
2id: ef61af62-bc74-4f58-b49b-626448227652
3related:
4 - id: 9212f354-7775-4e28-9c9f-8f0a4544e664
5 type: derived
6status: test
7description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
8references:
9 - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-03-14
12tags:
13 - attack.credential-access
14 - attack.t1552.001
15 - attack.t1003.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\ADExplorer.exe'
22 - OriginalFileName: 'AdExp'
23 selection_flag:
24 CommandLine|contains: 'snapshot'
25 selection_paths:
26 CommandLine|contains:
27 # TODO: Add more suspicious paths
28 - '\Downloads\'
29 - '\Users\Public\'
30 - '\AppData\'
31 - '\Windows\Temp\'
32 condition: all of selection_*
33falsepositives:
34 - Unknown
35level: high
References
Related rules
- Active Directory Database Snapshot Via ADExplorer
- Potential Russian APT Credential Theft Activity
- Automated Collection Command Prompt
- Azure Key Vault Modified or Deleted
- Azure Keyvault Key Modified or Deleted