NTDS Dump via Wbadmin
Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/06/05"
3integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from
13groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "NTDS Dump via Wbadmin"
29references = [
30 "https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"
31]
32risk_score = 47
33rule_id = "d93e61db-82d6-4095-99aa-714988118064"
34severity = "medium"
35tags = [
36 "Domain: Endpoint",
37 "OS: Windows",
38 "Use Case: Threat Detection",
39 "Tactic: Credential Access",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: System",
43 "Data Source: Microsoft Defender for Endpoint",
44 "Data Source: Sysmon",
45 "Data Source: SentinelOne",
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type == "start" and
52 (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and
53 process.args : "recovery" and process.command_line : "*ntds.dit*"
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1003"
61name = "OS Credential Dumping"
62reference = "https://attack.mitre.org/techniques/T1003/"
63[[rule.threat.technique.subtechnique]]
64id = "T1003.002"
65name = "Security Account Manager"
66reference = "https://attack.mitre.org/techniques/T1003/002/"
67
68[[rule.threat.technique.subtechnique]]
69id = "T1003.003"
70name = "NTDS"
71reference = "https://attack.mitre.org/techniques/T1003/003/"
72
73
74
75[rule.threat.tactic]
76id = "TA0006"
77name = "Credential Access"
78reference = "https://attack.mitre.org/tactics/TA0006/"
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1006"
85name = "Direct Volume Access"
86reference = "https://attack.mitre.org/techniques/T1006/"
87
88
89[rule.threat.tactic]
90id = "TA0005"
91name = "Defense Evasion"
92reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Credential Acquisition via Registry Hive Dumping
- Microsoft IIS Connection Strings Decryption
- NTDS or SAM Database File Copied
- Potential Local NTLM Relay via HTTP
- Potential Veeam Credential Access Command