NTDS Dump via Wbadmin
Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/06/05"
3integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/11/02"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from
13groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "NTDS Dump via Wbadmin"
30references = [
31 "https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"
32]
33risk_score = 47
34rule_id = "d93e61db-82d6-4095-99aa-714988118064"
35severity = "medium"
36tags = [
37 "Domain: Endpoint",
38 "OS: Windows",
39 "Use Case: Threat Detection",
40 "Tactic: Credential Access",
41 "Data Source: Elastic Endgame",
42 "Data Source: Elastic Defend",
43 "Data Source: System",
44 "Data Source: Microsoft Defender for Endpoint",
45 "Data Source: Sysmon",
46 "Data Source: SentinelOne",
47 "Data Source: Crowdstrike",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53process where host.os.type == "windows" and event.type == "start" and
54 (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and
55 process.args : "recovery" and process.command_line : "*ntds.dit*"
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1003"
63name = "OS Credential Dumping"
64reference = "https://attack.mitre.org/techniques/T1003/"
65[[rule.threat.technique.subtechnique]]
66id = "T1003.002"
67name = "Security Account Manager"
68reference = "https://attack.mitre.org/techniques/T1003/002/"
69
70[[rule.threat.technique.subtechnique]]
71id = "T1003.003"
72name = "NTDS"
73reference = "https://attack.mitre.org/techniques/T1003/003/"
74
75
76
77[rule.threat.tactic]
78id = "TA0006"
79name = "Credential Access"
80reference = "https://attack.mitre.org/tactics/TA0006/"
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1006"
87name = "Direct Volume Access"
88reference = "https://attack.mitre.org/techniques/T1006/"
89
90
91[rule.threat.tactic]
92id = "TA0005"
93name = "Defense Evasion"
94reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Wireless Credential Dumping using Netsh Command
- Credential Acquisition via Registry Hive Dumping
- Microsoft IIS Connection Strings Decryption
- NTDS or SAM Database File Copied
- Potential Veeam Credential Access Command