ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

AD Explorer Snapshot Activity

Risk Factors

AD Explorer is a publicly available tool for viewing and managing AD databases. Attackers can view an AD snapshot to discover important information, enabling later steps of the attack campaign.

Kill Chain

Reconnaissance

Risk Score

37

Next in Reconnaissance: AS-REP Roasting LDAP Reconnaissance Activity

Attack Background

AD Explorer is considered to be dual-use software, which can be leveraged for both legitimate and malicious activity. An attacker with network access to the Domain Controller (DC) can run AD Explorer to capture a snapshot of the AD database and save the copy to a local file. The snapshot serves as a record of the AD environment. Attackers can enumerate information from the snapshot offline about objects within the domain, such as privileged users, groups, configuration settings, and subnets without being detected.

Mitigation Options

Apply the principles of least privilege to domain users to reduce the information users can enumerate through tools such as AD Explorer

Because securing LDAP servers can be difficult without compromising functionality, monitor and investigate unusual LDAP activity quickly to minimize potential damage

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right