Active Directory Database Snapshot Via ADExplorer

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1069.002` Permission Groups Discovery: Domain Groups, `T1087.002` Account Discovery: Domain Account, `T1482` Domain Trust Discovery

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Description: 'Active Directory Editor'
Image|endswith: '\ADExp.exe'
Image|endswith: '\ADExplorer.exe'
Image|endswith: '\ADExplorer64.exe'
Image|endswith: '\ADExplorer64a.exe'
OriginalFileName: AdExp
Product: 'Sysinternals ADExplorer'

Stage 2: `all of selection_cli`

CommandLine|contains: snapshot

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`snapshot` corpus 3 (sigma 3)
`Description`	eq	`Active Directory Editor` corpus 2 (sigma 2)
`Image`	ends_with	`\ADExp.exe` corpus 3 (sigma 3) `\ADExplorer.exe` corpus 6 (sigma 6) `\ADExplorer64.exe` corpus 6 (sigma 6) `\ADExplorer64a.exe` corpus 4 (sigma 4)
`OriginalFileName`	eq	`AdExp` corpus 2 (sigma 2)
`Product`	eq	`Sysinternals ADExplorer` corpus 2 (sigma 2)