Suspicious Active Directory Database Snapshot Via ADExplorer

calendar Feb 1, 2024 · attack.credential_access attack.t1552.001 attack.t1003.003  ·
Share on: linkedin copy

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.

Sigma rule (View on GitHub)

 1title: Suspicious Active Directory Database Snapshot Via ADExplorer
 2id: ef61af62-bc74-4f58-b49b-626448227652
 3related:
 4    - id: 9212f354-7775-4e28-9c9f-8f0a4544e664
 5      type: derived
 6status: test
 7description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
 8references:
 9    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/03/14
12tags:
13    - attack.credential_access
14    - attack.t1552.001
15    - attack.t1003.003
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\ADExplorer.exe'
22        - OriginalFileName: 'AdExp'
23    selection_flag:
24        CommandLine|contains: 'snapshot'
25    selection_paths:
26        CommandLine|contains:
27            # TODO: Add more suspicious paths
28            - '\Downloads\'
29            - '\Users\Public\'
30            - '\AppData\'
31            - '\Windows\Temp\'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: high

References

Related rules

to-top