From 3c8be3d48bc240b0f59a0cf2123eacf445e07cea Mon Sep 17 00:00:00 2001
From: Alec Costello <virtuallaik@gmail.com>
Date: Fri, 17 May 2019 15:19:03 +0300
Subject: [PATCH] Update win_susp_vssadmin_ntds_activity.yml

---
 .../process_creation/win_susp_vssadmin_ntds_activity.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
index f0780c4e7..3ef734d59 100644
--- a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
+++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
@@ -1,7 +1,7 @@
 title: Activity Related to NTDS.dit Domain Hash Retrieval
 status: experimental
 description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
-author: Florian Roth, Michael Haag
+author: Florian Roth, Michael Haag, Alec Costello
 references:
     - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
     - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/