Suspicious Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Sigma rule (View on GitHub)
1title: Suspicious Active Directory Database Snapshot Via ADExplorer
2id: ef61af62-bc74-4f58-b49b-626448227652
3related:
4 - id: 9212f354-7775-4e28-9c9f-8f0a4544e664
5 type: derived
6status: test
7description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
8references:
9 - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
10 - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
11 - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
12 - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
13 - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
14 - https://trustedsec.com/blog/adexplorer-on-engagements
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2023-03-14
17modified: 2025-07-09
18tags:
19 - attack.discovery
20 - attack.t1087.002
21 - attack.t1069.002
22 - attack.t1482
23logsource:
24 category: process_creation
25 product: windows
26detection:
27 selection_img:
28 - Image|endswith:
29 - '\ADExp.exe'
30 - '\ADExplorer.exe'
31 - '\ADExplorer64.exe'
32 - '\ADExplorer64a.exe'
33 - OriginalFileName: 'AdExp'
34 - Description: 'Active Directory Editor'
35 - Product: 'Sysinternals ADExplorer'
36 selection_flag:
37 CommandLine|contains: 'snapshot'
38 selection_paths:
39 CommandLine|contains:
40 # TODO: Add more suspicious paths
41 - '\Downloads\'
42 - '\Users\Public\'
43 - '\AppData\'
44 - '\Windows\Temp\'
45 condition: all of selection_*
46falsepositives:
47 - Unknown
48level: high
References
-
-
-
ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON. - GitHub - c3c/ADExplorerSnapshot.py at f700904de...
Read More -
Learn the tactics of Scattered Spider, a youthful hacker group deploying ransomware against major corporations using a diverse set of sophisticated social engineering, low and highly skilled attacks.
Read More -
This research was conducted by David Brown, Michael Matthews and Rob Smallridge from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group tl;dr This post des...
Read More -
Related rules
- ADExplorer Writing Complete AD Snapshot Into .dat File
- Active Directory Database Snapshot Via ADExplorer
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation