detection.wiki

Detection rules › Sigma

ADExplorer Writing Complete AD Snapshot Into .dat File

Severity
medium
Author
Arnim Rupp (Nextron Systems), Thomas Patzke
Source
upstream

Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1069.002 Permission Groups Discovery: Domain Groups, T1087.002 Account Discovery: Domain Account, T1482 Domain Trust Discovery

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\ADExp.exe'
Image|endswith: '\ADExplorer.exe'
Image|endswith: '\ADExplorer64.exe'
Image|endswith: '\ADExplorer64a.exe'
TargetFilename|endswith: .dat

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \ADExp.exe corpus 3 (sigma 3)
  • \ADExplorer.exe corpus 6 (sigma 6)
  • \ADExplorer64.exe corpus 6 (sigma 6)
  • \ADExplorer64a.exe corpus 4 (sigma 4)
TargetFilenameends_with
  • .dat corpus 2 (sigma 2)