Skip to content

Hide Navigation Hide TOC

Suspicious Active Directory Database Snapshot Via ADExplorer (ef61af62-bc74-4f58-b49b-626448227652)

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Active Directory Database Snapshot Via ADExplorer (ef61af62-bc74-4f58-b49b-626448227652) Sigma-Rules NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
Suspicious Active Directory Database Snapshot Via ADExplorer (ef61af62-bc74-4f58-b49b-626448227652) Sigma-Rules Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2