This detection rule monitors the activity of the ADExplorer tool, which is used to create a complete snapshot of Active Directory (AD) into a .dat file. Such operations can have legitimate uses by IT administrators but can be exploited by attackers to gather sensitive information. Attackers can utilize these snapshots for information gathering, staging password spray attacks, or carrying out social engineering by harnessing data such as usernames potentially found in the comments section. Notably, while the snapshots exclude password hashes, they still pose a risk if sensitive details are inadvertently stored by administrators. The rule specifically tracks ADExplorer executable files through their known variations and checks for their resulting output filename to be a .dat file, acting upon this observation to trigger alerts.