NTDS Dump via Wbadmin

Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/06/05"
 3integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from
13groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.
14"""
15from = "now-9m"
16index = [
17    "winlogbeat-*",
18    "logs-endpoint.events.process-*",
19    "logs-windows.forwarded*",
20    "logs-windows.sysmon_operational-*",
21    "endgame-*",
22    "logs-system.security*",
23    "logs-m365_defender.event-*",
24    "logs-sentinel_one_cloud_funnel.*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "NTDS Dump via Wbadmin"
29references = [
30    "https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"
31]
32risk_score = 47
33rule_id = "d93e61db-82d6-4095-99aa-714988118064"
34severity = "medium"
35tags = [
36    "Domain: Endpoint",
37    "OS: Windows",
38    "Use Case: Threat Detection",
39    "Tactic: Credential Access",
40    "Data Source: Elastic Endgame",
41    "Data Source: Elastic Defend",
42    "Data Source: System",
43    "Data Source: Microsoft Defender for Endpoint",
44    "Data Source: Sysmon",
45    "Data Source: SentinelOne",
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type == "start" and
52    (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and 
53     process.args : "recovery" and process.command_line : "*ntds.dit*"
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1003"
61name = "OS Credential Dumping"
62reference = "https://attack.mitre.org/techniques/T1003/"
63[[rule.threat.technique.subtechnique]]
64id = "T1003.002"
65name = "Security Account Manager"
66reference = "https://attack.mitre.org/techniques/T1003/002/"
67
68[[rule.threat.technique.subtechnique]]
69id = "T1003.003"
70name = "NTDS"
71reference = "https://attack.mitre.org/techniques/T1003/003/"
72
73
74
75[rule.threat.tactic]
76id = "TA0006"
77name = "Credential Access"
78reference = "https://attack.mitre.org/tactics/TA0006/"
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1006"
85name = "Direct Volume Access"
86reference = "https://attack.mitre.org/techniques/T1006/"
87
88
89[rule.threat.tactic]
90id = "TA0005"
91name = "Defense Evasion"
92reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top