LoFP / legitimate usage to restore snapshots

Techniques

• t1003
• t1003.003

Sample rules

Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)

• source: sigma
• technicques:
  • t1003
  • t1003.003

Description

Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots…etc.

Detection logic

condition: all of selection_*
selection_cli:
- CommandLine|contains|all:
  - snapshot
  - 'mount '
- CommandLine|contains|all:
  - ac
  - ' i'
  - ' ntds'
selection_img:
- Image|endswith: \ntdsutil.exe
- OriginalFileName: ntdsutil.exe