legitimate use of adexplorer by administrators creating .dat snapshots

t1069
t1069.002
t1087
t1087.002
t1482
windows
sigma

Techniques

t1069
t1069.002
t1087
t1087.002
t1482

Sample rules

ADExplorer Writing Complete AD Snapshot Into .dat File

source: sigma
technicques:
- t1069
- t1069.002
- t1087
- t1087.002
- t1482

Description

Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn’t contain password hashes but there have been cases, where administrators put passwords in the comment field.

Detection logic

condition: selection
selection:
  Image|endswith:
  - \ADExp.exe
  - \ADExplorer.exe
  - \ADExplorer64.exe
  - \ADExplorer64a.exe
  TargetFilename|endswith: .dat