{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/adexplorer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory"],"_cs_severities":["low"],"_cs_tags":["discovery","active-directory","adexplorer","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdExplorer is a legitimate utility used for viewing and editing Active Directory (AD) environments. It provides advanced features for exploring AD databases and even creating snapshots for offline analysis. While useful for administrators, adversaries can leverage AdExplorer for reconnaissance purposes within a compromised domain. This involves gathering information about users, groups, trusts, and network configurations to aid in lateral movement or privilege escalation. This activity is often an early stage of post-compromise activity, where attackers are mapping out the AD environment to identify valuable targets and attack paths. Detecting the use of AdExplorer, especially in unusual contexts, can provide an early warning sign of malicious activity within the network. The rule specifically looks for processes named \u0026quot;ADExplorer*.exe\u0026quot; or having the original file name \u0026quot;AdExp.\u0026quot;\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads or copies the AdExplorer utility (ADExplorer.exe) to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes AdExplorer.exe.\u003c/li\u003e\n\u003cli\u003eAdExplorer enumerates domain accounts (T1087.002) and groups (T1069.002) within the Active Directory environment.\u003c/li\u003e\n\u003cli\u003eAdExplorer queries the Active Directory to discover domain trusts (T1482).\u003c/li\u003e\n\u003cli\u003eThe attacker saves a snapshot of the AD database for offline viewing and analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the collected information to identify high-value targets, privileged accounts, and potential lateral movement paths.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to further compromise the network or achieve their final objective.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and reconnaissance via AdExplorer allows attackers to map out the Active Directory environment. This allows them to identify critical assets, privileged accounts, and potential vulnerabilities. This information is leveraged for lateral movement, privilege escalation, and ultimately, the exfiltration of sensitive data, deployment of ransomware, or other malicious activities. While the tool itself is benign, its usage in a compromised environment can indicate malicious intent, and is a sign of increased attack risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Active Directory Discovery using AdExplorer - Process Name\u0026quot; to your SIEM to detect AdExplorer execution based on process name.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Active Directory Discovery using AdExplorer - Original File Name\u0026quot; to your SIEM to detect AdExplorer execution based on original file name.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the context of the execution (user, machine, and associated network activity).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of AdExplorer with unusual command-line arguments or from unexpected locations to identify potentially malicious use.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ad-explorer-discovery/","summary":"AdExplorer, a legitimate Active Directory viewer, can be abused by adversaries for domain reconnaissance, and this rule detects its execution to identify potential malicious discovery activities.","title":"Active Directory Discovery using AdExplorer","url":"https://feed.craftedsignal.io/briefs/2024-01-ad-explorer-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - Adexplorer","version":"https://jsonfeed.org/version/1.1"}