PUA - DIT Snapshot Viewer

 1title: PUA - DIT Snapshot Viewer
 2id: d3b70aad-097e-409c-9df2-450f80dc476b
 3status: test
 4description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
 5references:
 6    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
 7    - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap
 8author: Furkan Caliskan (@caliskanfurkan_)
 9date: 2020/07/04
10modified: 2023/02/21
11tags:
12    - attack.credential_access
13    - attack.t1003.003
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - Image|endswith: '\ditsnap.exe'
20        - CommandLine|contains: 'ditsnap.exe'
21    condition: selection
22falsepositives:
23    - Legitimate admin usage
24level: high

References

• Snatch Ransomware - The DFIR Report

  

  Another RDP brute force ransomware strikes again, this time, Snatch Team! Snatch Team was able to go from brute forcing a Domain Administrator (DA) account via RDP, to running a … Read More

  
  Read More

• yosqueoy/ditsnap

  

  An inspection tool for Active Directory database. Contribute to yosqueoy/ditsnap development by creating an account on GitHub.

  
  Read More

Related rules

• Esentutl Gather Credentials
• Create Volume Shadow Copy with Powershell
• Transferring Files with Credential Data via Network Shares - Zeek
• NTDSutil Pulling of NTDS.dit File
• Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)