From 40a8a9ea043c4f810b4785875a05e052dadfc6bf Mon Sep 17 00:00:00 2001
From: Ivan Dyachkov <idyachkov@ptsecurity.com>
Date: Fri, 9 Oct 2020 10:19:39 +0300
Subject: [PATCH] Added rule win_susp_diskshadow

---
 .../process_creation/win_susp_diskshadow.yml  | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_diskshadow.yml

diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml
new file mode 100644
index 000000000..f52ad859c
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_diskshadow.yml
@@ -0,0 +1,29 @@
+title: Diskshadow.exe execution
+id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2
+status: experimental
+description: Detects using Diskshadow.exe to dump NTDS.dit or execute arbitrary code
+references:
+    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+tags:
+    - attack.Credential Access
+    - attack.Execution
+    - attack.T1003     
+
+author: Ivan Dyachkov, oscd.community
+date: 2020/10/07  
+logsource:                      
+    category: process_creation 
+    product: windows            
+    definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events'
+detection:
+    selection:
+            Image: 'c:\windows\system32\diskshadow.exe'
+            CommandLine|contains:
+                - '/s'
+                - 'exec' 
+    condition: selection
+fields:
+    - CommandLine
+falsepositives:
+    - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts.
+level: high
\ No newline at end of file