<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Adexplorer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/adexplorer/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 14:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/adexplorer/feed.xml" rel="self" type="application/rss+xml"/><item><title>Active Directory Discovery using AdExplorer</title><link>https://feed.craftedsignal.io/briefs/2024-01-ad-explorer-discovery/</link><pubDate>Wed, 03 Jan 2024 14:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-ad-explorer-discovery/</guid><description>AdExplorer, a legitimate Active Directory viewer, can be abused by adversaries for domain reconnaissance, and this rule detects its execution to identify potential malicious discovery activities.</description><content:encoded><![CDATA[<p>AdExplorer is a legitimate utility used for viewing and editing Active Directory (AD) environments. It provides advanced features for exploring AD databases and even creating snapshots for offline analysis. While useful for administrators, adversaries can leverage AdExplorer for reconnaissance purposes within a compromised domain. This involves gathering information about users, groups, trusts, and network configurations to aid in lateral movement or privilege escalation. This activity is often an early stage of post-compromise activity, where attackers are mapping out the AD environment to identify valuable targets and attack paths. Detecting the use of AdExplorer, especially in unusual contexts, can provide an early warning sign of malicious activity within the network. The rule specifically looks for processes named &quot;ADExplorer*.exe&quot; or having the original file name &quot;AdExp.&quot;</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a system within the target network.</li>
<li>The attacker downloads or copies the AdExplorer utility (ADExplorer.exe) to the compromised host.</li>
<li>The attacker executes AdExplorer.exe.</li>
<li>AdExplorer enumerates domain accounts (T1087.002) and groups (T1069.002) within the Active Directory environment.</li>
<li>AdExplorer queries the Active Directory to discover domain trusts (T1482).</li>
<li>The attacker saves a snapshot of the AD database for offline viewing and analysis.</li>
<li>The attacker analyzes the collected information to identify high-value targets, privileged accounts, and potential lateral movement paths.</li>
<li>The attacker uses the gathered information to further compromise the network or achieve their final objective.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation and reconnaissance via AdExplorer allows attackers to map out the Active Directory environment. This allows them to identify critical assets, privileged accounts, and potential vulnerabilities. This information is leveraged for lateral movement, privilege escalation, and ultimately, the exfiltration of sensitive data, deployment of ransomware, or other malicious activities. While the tool itself is benign, its usage in a compromised environment can indicate malicious intent, and is a sign of increased attack risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Active Directory Discovery using AdExplorer - Process Name&quot; to your SIEM to detect AdExplorer execution based on process name.</li>
<li>Deploy the Sigma rule &quot;Active Directory Discovery using AdExplorer - Original File Name&quot; to your SIEM to detect AdExplorer execution based on original file name.</li>
<li>Investigate any alerts generated by these rules, focusing on the context of the execution (user, machine, and associated network activity).</li>
<li>Monitor process creation events for the execution of AdExplorer with unusual command-line arguments or from unexpected locations to identify potentially malicious use.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>discovery</category><category>active-directory</category><category>adexplorer</category><category>windows</category></item></channel></rss>