Skip to content

Hide Navigation Hide TOC

Suspicious Active Directory Database Snapshot Via ADExplorer (ef61af62-bc74-4f58-b49b-626448227652)

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

Cluster A Galaxy A Cluster B Galaxy B Level
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Suspicious Active Directory Database Snapshot Via ADExplorer (ef61af62-bc74-4f58-b49b-626448227652) Sigma-Rules 1
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Suspicious Active Directory Database Snapshot Via ADExplorer (ef61af62-bc74-4f58-b49b-626448227652) Sigma-Rules 1
Suspicious Active Directory Database Snapshot Via ADExplorer (ef61af62-bc74-4f58-b49b-626448227652) Sigma-Rules Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2