Active Directory Database Snapshot Via ADExplorer

    Tuesday, July 15, 2025 In: Threat Research Print

    Date: 07/15/2025

    Severity: Medium

    Summary

    Detects the use of Sysinternals ADExplorer with the "-snapshot" flag to create a local copy of the Active Directory database. Attackers may leverage this snapshot to extract data for tools like BloodHound, gather usernames for password spraying, or exploit metadata for social engineering.
    While the snapshot doesn't include password hashes, some cases have revealed passwords stored in comment fields by administrators. This activity can indicate early reconnaissance or preparation for broader attacks.

    Indicators of Compromise (IOC) List 

    Image : 

    - '\ADExp.exe'

    - '\ADExplorer.exe'

    - '\ADExplorer64.exe'

    - '\ADExplorer64a.exe'

    OriginalFileName :

    'AdExp'

    Description : 

    'Active Directory Editor'

    Product : 

    'Sysinternals ADExplorer'

    CommandLine : 

    'snapshot'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND processname IN  ("ADExp.exe","ADExplorer.exe","ADExplorer64.exe","ADExplorer64a.exe") and originalfilename like "AdExp" and description like "Active Directory Editor" and product like "Sysinternals ADExplorer" and commandline like "snapshot"  

    Detection Query : 

    (technologygroup = "EDR") AND processname IN  ("ADExp.exe","ADExplorer.exe","ADExplorer64.exe","ADExplorer64a.exe") and originalfilename like "AdExp" and description like "Active Directory Editor" and product like "Sysinternals ADExplorer" and commandline like "snapshot" 

    Detection Query : 

    (resourcename = "Sysmon"  AND eventtype = "1"  ) AND image IN ("ADExp.exe","ADExplorer.exe","ADExplorer64.exe","ADExplorer64a.exe") AND originalfilename like "AdExp"  AND description like "Active Directory Editor"  AND product like "Sysinternals ADExplorer"   AND commandline = "snapshot"

    Detection Query : 

    (technologygroup = "EDR" ) AND image IN ("ADExp.exe","ADExplorer.exe","ADExplorer64.exe","ADExplorer64a.exe") AND originalfilename like "AdExp"  AND description like "Active Directory Editor"  AND product like "Sysinternals ADExplorer"   AND commandline = "snapshot"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml


    Tags

    SigmaADExplorerExploitSocial Engineering

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.