Sensitive File Recovery From Backup Via Wbadmin.EXE

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Sigma rule (View on GitHub)

 1title: Sensitive File Recovery From Backup Via Wbadmin.EXE
 2id: 84972c80-251c-4c3a-9079-4f00aad93938
 3related:
 4    - id: 6fe4aa1e-0531-4510-8be2-782154b73b48
 5      type: derived
 6status: experimental
 7description: |
 8    Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
 9    Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.    
10references:
11    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
12    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
13    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
14    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
15author: Nasreddine Bencherchali (Nextron Systems), frack113
16date: 2024-05-10
17tags:
18    - attack.credential-access
19    - attack.t1003.003
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith: '\wbadmin.exe'
26        - OriginalFileName: 'WBADMIN.EXE'
27    selection_backup:
28        CommandLine|contains|all:
29            - ' recovery'
30            - 'recoveryTarget'
31            - 'itemtype:File'
32        CommandLine|contains:
33            - '\config\SAM'
34            - '\config\SECURITY'
35            - '\config\SYSTEM'
36            - '\Windows\NTDS\NTDS.dit'
37    condition: all of selection_*
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top