PUA - DIT Snapshot Viewer
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
Sigma rule (View on GitHub)
1title: PUA - DIT Snapshot Viewer
2id: d3b70aad-097e-409c-9df2-450f80dc476b
3status: test
4description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
5references:
6 - https://thedfirreport.com/2020/06/21/snatch-ransomware/
7 - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap
8author: Furkan Caliskan (@caliskanfurkan_)
9date: 2020-07-04
10modified: 2023-02-21
11tags:
12 - attack.credential-access
13 - attack.t1003.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - Image|endswith: '\ditsnap.exe'
20 - CommandLine|contains: 'ditsnap.exe'
21 condition: selection
22falsepositives:
23 - Legitimate admin usage
24level: high
References
-
Another RDP brute force ransomware strikes again, this time, Snatch Team! Snatch Team was able to go from brute forcing a Domain Administrator (DA) account via RDP, to running a Meterpreter reverse…
Read More -
An inspection tool for Active Directory database. Contribute to yosqueoy/ditsnap development by creating an account on GitHub.
Read More
Related rules
- Active Directory Database Snapshot Via ADExplorer
- Copying Sensitive Files with Credential Data
- Create Volume Shadow Copy with Powershell
- Cred Dump Tools Dropped Files
- Esentutl Gather Credentials