NTDS Dump via Wbadmin

  1[metadata]
  2creation_date = "2024/06/05"
  3integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from
 11groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "NTDS Dump via Wbadmin"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating NTDS Dump via Wbadmin
 34
 35Wbadmin is a Windows utility for backup and recovery, often used by administrators to safeguard critical data. However, adversaries with sufficient privileges, such as those in the Backup Operators group, can exploit it to access the NTDS.dit file on domain controllers, which contains sensitive credential information. The detection rule identifies suspicious use of wbadmin by monitoring for its execution with specific arguments related to NTDS.dit, helping to flag potential credential dumping activities.
 36
 37### Possible investigation steps
 38
 39- Review the process execution details to confirm the presence of wbadmin.exe with the specific arguments related to NTDS.dit, as indicated by the process.command_line field.
 40- Check the user account associated with the process execution to determine if it belongs to a privileged group such as Backup Operators, which could indicate potential misuse of privileges.
 41- Investigate the source host identified by host.os.type to determine if it is a domain controller, as this would be a critical factor in assessing the risk of the activity.
 42- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns.
 43- Examine recent changes or access attempts to the NTDS.dit file on the domain controller to identify any unauthorized access or modifications.
 44- Assess the risk score and severity level to prioritize the investigation and determine if immediate response actions are necessary.
 45
 46### False positive analysis
 47
 48- Scheduled backups by legitimate IT staff can trigger the rule. Verify the identity and role of the user executing wbadmin and consider excluding known backup schedules from detection.
 49- Automated recovery processes in disaster recovery plans might use wbadmin with similar arguments. Review and whitelist these processes if they are part of approved recovery procedures.
 50- Security audits or compliance checks may involve accessing NTDS.dit for validation purposes. Confirm the legitimacy of these activities and exclude them if they are part of regular audits.
 51- Test environments that mimic production setups might execute similar commands. Ensure these environments are properly documented and excluded from detection if they are used for testing purposes.
 52
 53### Response and remediation
 54
 55- Immediately isolate the affected domain controller from the network to prevent further unauthorized access or data exfiltration.
 56- Revoke any suspicious or unauthorized accounts from the Backup Operators group and review all accounts with elevated privileges for legitimacy.
 57- Conduct a thorough review of recent backup and recovery operations on the affected domain controller to identify any unauthorized access or data manipulation.
 58- Change all domain administrator and service account passwords to mitigate potential credential compromise.
 59- Restore the NTDS.dit file from a known good backup if any unauthorized modifications are detected.
 60- Implement enhanced monitoring and logging for wbadmin.exe usage across all domain controllers to detect future unauthorized access attempts.
 61- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
 62references = ["https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"]
 63risk_score = 47
 64rule_id = "d93e61db-82d6-4095-99aa-714988118064"
 65severity = "medium"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Credential Access",
 71    "Data Source: Elastic Endgame",
 72    "Data Source: Elastic Defend",
 73    "Data Source: Windows Security Event Logs",
 74    "Data Source: Microsoft Defender for Endpoint",
 75    "Data Source: Sysmon",
 76    "Data Source: SentinelOne",
 77    "Data Source: Crowdstrike",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "eql"
 82
 83query = '''
 84process where host.os.type == "windows" and event.type == "start" and
 85    (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and
 86     process.args : "recovery" and process.command_line : "*ntds.dit*"
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1003"
 94name = "OS Credential Dumping"
 95reference = "https://attack.mitre.org/techniques/T1003/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1003.002"
 98name = "Security Account Manager"
 99reference = "https://attack.mitre.org/techniques/T1003/002/"
100
101[[rule.threat.technique.subtechnique]]
102id = "T1003.003"
103name = "NTDS"
104reference = "https://attack.mitre.org/techniques/T1003/003/"
105
106
107
108[rule.threat.tactic]
109id = "TA0006"
110name = "Credential Access"
111reference = "https://attack.mitre.org/tactics/TA0006/"
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1006"
116name = "Direct Volume Access"
117reference = "https://attack.mitre.org/techniques/T1006/"
118
119
120[rule.threat.tactic]
121id = "TA0005"
122name = "Defense Evasion"
123reference = "https://attack.mitre.org/tactics/TA0005/"