Sensitive File Recovery From Backup Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
Sigma rule (View on GitHub)
1title: Sensitive File Recovery From Backup Via Wbadmin.EXE
2id: 84972c80-251c-4c3a-9079-4f00aad93938
3related:
4 - id: 6fe4aa1e-0531-4510-8be2-782154b73b48
5 type: derived
6status: experimental
7description: |
8 Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
9 Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
10references:
11 - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
12 - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
13 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
14 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
15author: Nasreddine Bencherchali (Nextron Systems), frack113
16date: 2024/05/10
17tags:
18 - attack.credential_access
19 - attack.t1003.003
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith: '\wbadmin.exe'
26 - OriginalFileName: 'WBADMIN.EXE'
27 selection_backup:
28 CommandLine|contains|all:
29 - ' recovery'
30 - 'recoveryTarget'
31 - 'itemtype:File'
32 CommandLine|contains:
33 - '\config\SAM'
34 - '\config\SECURITY'
35 - '\config\SYSTEM'
36 - '\Windows\NTDS\NTDS.dit'
37 condition: all of selection_*
38falsepositives:
39 - Unknown
40level: high
References
Related rules
- Sensitive File Dump Via Wbadmin.EXE
- Secretsdump.py Execution
- NTDS.DIT Created
- Active Directory Database Snapshot Via ADExplorer
- Suspicious Active Directory Database Snapshot Via ADExplorer