ADExplorer is being used to exfiltrate a complete Active Directory snapshot into a .dat file, which could be leveraged by adversaries to gather network topology or credentials for further attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance or credential harvesting activities early.
Detection Rule
title: ADExplorer Writing Complete AD Snapshot Into .dat File
id: 0a1255c5-d732-4b62-ac02-b5152d34fb83
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: similar
status: experimental
description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Arnim Rupp (Nextron Systems), Thomas Patzke
date: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
TargetFilename|endswith: '.dat'
condition: selection
falsepositives:
- Legitimate use of ADExplorer by administrators creating .dat snapshots
level: medium
imFileEvent
| where (TargetFilePath endswith "\\ADExp.exe" or TargetFilePath endswith "\\ADExplorer.exe" or TargetFilePath endswith "\\ADExplorer64.exe" or TargetFilePath endswith "\\ADExplorer64a.exe") and TargetFileName endswith ".dat"Scenario: Scheduled AD Backup Job Using ADExplorer
Description: A legitimate scheduled backup job uses ADExplorer to create a complete AD snapshot for archival purposes.
Filter/Exclusion: Exclude processes initiated by a known backup service (e.g., BackupExec, Veeam, or Dell EMC Data Domain) or filter by the user account used for backups (e.g., backupsvc or backupadmin).
Scenario: Admin Task to Generate AD Schema for Documentation
Description: An administrator uses ADExplorer to export a complete AD snapshot for internal documentation or training.
Filter/Exclusion: Exclude processes initiated by domain administrators with a known pattern of exporting AD data for documentation (e.g., Administrator or ITDocumentation user accounts).
Scenario: ADExplorer Used for Active Directory Health Check
Description: A system administrator uses ADExplorer to perform a health check by exporting a complete AD snapshot for analysis.
Filter/Exclusion: Exclude processes initiated by a specific user or group responsible for AD health checks (e.g., ADHealthCheck group or adhealthsvc service).
Scenario: ADExplorer Used in a Development Environment
Description: A developer uses ADExplorer to export a complete AD snapshot for testing or development purposes in a non-production environment.
Filter/Exclusion: Exclude processes running in a development or test environment (e.g., based on the file system path, IP range, or environment tag like dev or test).
Scenario: ADExplorer Used for Migration or Decommissioning
Description: ADExplorer is used to export a complete AD snapshot as part of a migration or decommissioning process.
Filter/Exclusion: Exclude processes associated with migration tools (e.g., MigrationWiz, ADSync, or `Azure AD