The Reveal Platform
Intel Name: Active directory database snapshot via adexplorer
Date of Scan: July 15, 2025
Impact: Medium
Summary: Detects the use of Sysinternals ADExplorer with the “-snapshot” flag to create a local copy of the Active Directory database. Attackers may leverage this snapshot to extract data for tools like BloodHound, gather usernames for password spraying, or exploit metadata for social engineering.
While the snapshot doesn’t include password hashes, some cases have revealed passwords stored in comment fields by administrators. This activity can indicate early reconnaissance or preparation for broader attacks.
