This threat detection rule is designed to identify the execution of Sysinternals ADExplorer when it runs with the "-snapshot" flag. The ADExplorer tool is commonly used for exploring and manipulating Active Directory (AD) environments. By saving a local copy of the active directory database, potentially malicious actors could carry out lateral movements or credential harvesting without detection. This rule focuses on monitoring process creation events in Windows systems to detect the specific use of ADExplorer for such purposes. Detection is based on the conditions that check for process creation using ADExplorer and the presence of the 'snapshot' keyword in the command line arguments. If both criteria are met, an alert is generated. This allows security teams to respond quickly to potentially unauthorized access to sensitive AD data.