Active Directory Database Snapshot Via ADExplorer

Rule Info

Name
Active Directory Database Snapshot Via ADExplorer
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Reference
https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
Date
2023-03-14 00:00:00
Modified
2025-07-09 00:00:00
Id
9212f354-7775-4e28-9c9f-8f0a4544e664
Tags
attack.discovery attack.t1087.002 attack.t1069.002 attack.t1482
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9212f354-7775-4e28-9c9f-8f0a4544e664

Rule History

Author
Title
Date
Commit
phantinuss
Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10
2025-08-14
4f4f468c4
Arnim Rupp
Merge PR #5518 from @ruppde - new rule and updates for ADExplorer
2025-07-14
3f3b1540a
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4700 from @nasbench - Promote older rules status from `experimental` to `test`
2024-02-01
367ebd939
Nasreddine Bencherchali
feat: new rules and update
2023-03-14
90574160e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022