ADExplorer Snapshot
Introduction
ADExplorer.exe is a lightweight, advanced Active Directory (AD) viewer and editor tool developed by Microsoft as part of the Sysinternals Suite. It allows administrators and IT professionals to browse, search, and modify objects and attributes within Active Directory in a graphical interface.
KQL
DeviceFileEvents
| where FileName endswith ".dat"
| join kind=inner (
DeviceProcessEvents
| where ProcessVersionInfoCompanyName has_any ("Sysinternals", "Microsoft")
| where FileName endswith ".exe"
) on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessVersionInfoCompanyName, InitiatingProcessAccountName, ReportId
| order by Timestamp desc