Detects the use of Sysinternals ADExplorer with the "-snapshot" flag to create a local copy of the Active Directory database. Attackers may leverage this snapshot to extract data for tools like BloodHound, gather usernames for password spraying, or exploit metadata for social engineering....