title: DIT Snapshot Viewer Use
author: Furkan Caliskan (@caliskanfurkan_)
date: 2020/07/04
description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image:
    - '*\ditsnap.exe'
  SELECTION_3:
    CommandLine:
    - '*ditsnap.exe*'
  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Legitimate admin usage
id: d3b70aad-097e-409c-9df2-450f80dc476b
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://github.com/yosqueoy/ditsnap
status: experimental
tags:
- attack.credential_access
- attack.t1003.003
- attack.t1003
ruletype: SIGMA