Sensitive File Dump Via Wbadmin.EXE

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Sigma rule (View on GitHub)

 1title: Sensitive File Dump Via Wbadmin.EXE
 2id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15
 3status: experimental
 4description: |
 5    Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
 6    Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.    
 7references:
 8    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
 9    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
10    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
12author: Nasreddine Bencherchali (Nextron Systems), frack113
13date: 2024-05-10
14tags:
15    - attack.credential-access
16    - attack.t1003.003
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\wbadmin.exe'
23        - OriginalFileName: 'WBADMIN.EXE'
24    selection_backup:
25        CommandLine|contains:
26            - 'start'
27            - 'backup'
28    selection_path:
29        CommandLine|contains:
30            - '\config\SAM'
31            - '\config\SECURITY'
32            - '\config\SYSTEM'
33            - '\Windows\NTDS\NTDS.dit'
34    condition: all of selection_*
35falsepositives:
36    - Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis.
37level: high

References

Related rules

to-top