Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Active Directory Database Snapshot Via ADExplorer

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Mar 14Updated Wed Jul 099212f354-7775-4e28-9c9f-8f0a4544e664windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\ADExp.exe'
              - '\ADExplorer.exe'
              - '\ADExplorer64.exe'
              - '\ADExplorer64a.exe'
        - OriginalFileName: 'AdExp'
        - Description: 'Active Directory Editor'
        - Product: 'Sysinternals ADExplorer'
    selection_cli:
        CommandLine|contains: 'snapshot'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
documentcloud.org
2
Resolving title…
learn.microsoft.com
3
Resolving title…
github.com
4
Resolving title…
packetlabs.net
5
Resolving title…
nccgroup.com
6
Resolving title…
trustedsec.com
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

Suspicious Active Directory Database Snapshot Via ADExplorer

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
9212f354-7775-4e28-9c9f-8f0a4544e664
Status
test
Level
medium
Type
Detection
Created
Tue Mar 14
Modified
Wed Jul 09
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml
Raw Tags
attack.discoveryattack.t1087.002attack.t1069.002attack.t1482
View on GitHub