attack.t1069.002

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Active Directory Database Snapshot Via ADExplorer

Aug 14, 2025 · attack.discovery attack.t1087.002 attack.t1069.002 attack.t1482 ·

Share on:

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

ADExplorer Writing Complete AD Snapshot Into .dat File

Aug 14, 2025 · attack.discovery attack.t1087.002 attack.t1069.002 attack.t1482 ·

Share on:

Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

Suspicious Active Directory Database Snapshot Via ADExplorer

Aug 14, 2025 · attack.discovery attack.t1087.002 attack.t1069.002 attack.t1482 ·

Share on:

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

Potential Active Directory Reconnaissance/Enumeration Via LDAP

Jul 8, 2025 · attack.discovery attack.t1069.002 attack.t1087.002 attack.t1482 ·

Share on:

Detects potential Active Directory enumeration via LDAP

HackTool - SharpView Execution

Jun 4, 2025 · attack.discovery attack.t1049 attack.t1069.002 attack.t1482 attack.t1135 attack.t1033 ·

Share on:

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Active Directory Group Enumeration With Get-AdGroup

Aug 12, 2024 · attack.discovery attack.t1069.002 ·

Share on:

Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory

HackTool - Bloodhound/Sharphound Execution

Aug 12, 2024 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001 ·

Share on:

Detects command line parameters used by Bloodhound and Sharphound hack tools

Reconnaissance Activity

Aug 12, 2024 · attack.discovery attack.t1087.002 attack.t1069.002 attack.s0039 ·

Share on:

Detects activity as "net user administrator /domain" and "net group domain admins /domain"