security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update win_susp_vssadmin_ntds_activity.yml

Browse Source
This commit is contained in:
Alec Costello
2019-05-17 15:19:03 +03:00
parent 8b14a5673d
commit 3c8be3d48b
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Activity Related to NTDS.dit Domain Hash Retrieval
status: experimental
description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
author: Florian Roth, Michael Haag
author: Florian Roth, Michael Haag, Alec Costello
references:
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/