Suspicious Active Directory Database Snapshot Via ADExplorer

Rule Info

Name
Suspicious Active Directory Database Snapshot Via ADExplorer
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
Reference
https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
Date
2023-03-14 00:00:00
Modified
None
Id
ef61af62-bc74-4f58-b49b-626448227652
Tags
attack.credential_access attack.t1552.001 attack.t1003.003 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ef61af62-bc74-4f58-b49b-626448227652

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4700 from @nasbench - Promote older rules status from `experimental` to `test`
2024-02-01
367ebd939
Nasreddine Bencherchali
fix: apply suggestions from code review
2023-03-15
77cd0bf6c
Nasreddine Bencherchali
fix: cicd errors
2023-03-14
933e99eef
Nasreddine Bencherchali
feat: new rules and update
2023-03-14
90574160e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022