Techniques
Sample rules
PUA - DIT Snapshot Viewer
- source: sigma
- technicques:
- t1003
- t1003.003
Description
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
Detection logic
condition: selection
selection:
- Image|endswith: \ditsnap.exe
- CommandLine|contains: ditsnap.exe