From c6843d41bca93570f281a26be4030e2bc54104f1 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 17 Mar 2017 00:23:55 +0100
Subject: [PATCH] Rule: Vssadmin / NTDS.dit activity

---
 .../sysmon_susp_vssadmin_ntds_activity.yml    | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml

diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml
new file mode 100644
index 000000000..af48acc7a
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml
@@ -0,0 +1,22 @@
+title: Activity Related to NTDS.dit Domain Hash Retrieval
+status: experimental
+description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely 
+author: Florian Roth
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine:
+            # Ransomware
+            - 'vssadmin.exe Delete Shadows'
+            # Hacking 
+            - 'vssadmin create shadow /for=C:'
+            - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit'
+            - 'vssadmin delete shadows /for=C:'
+            - 'reg SAVE HKLM\SYSTEM '
+    condition: selection
+falsepositives:
+    - Administrative activity
+level: high