Sensitive File Recovery From Backup Via Wbadmin.EXE

 1title: Sensitive File Recovery From Backup Via Wbadmin.EXE
 2id: 84972c80-251c-4c3a-9079-4f00aad93938
 3related:
 4    - id: 6fe4aa1e-0531-4510-8be2-782154b73b48
 5      type: derived
 6status: experimental
 7description: |
 8    Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
 9    Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.    
10references:
11    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
12    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
13    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
14    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
15author: Nasreddine Bencherchali (Nextron Systems), frack113
16date: 2024/05/10
17tags:
18    - attack.credential_access
19    - attack.t1003.003
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith: '\wbadmin.exe'
26        - OriginalFileName: 'WBADMIN.EXE'
27    selection_backup:
28        CommandLine|contains|all:
29            - ' recovery'
30            - 'recoveryTarget'
31            - 'itemtype:File'
32        CommandLine|contains:
33            - '\config\SAM'
34            - '\config\SECURITY'
35            - '\config\SYSTEM'
36            - '\Windows\NTDS\NTDS.dit'
37    condition: all of selection_*
38falsepositives:
39    - Unknown
40level: high

References

• LOLBAS/yml/OSBinaries/Wbadmin.yml at 2cc01b01132b5c304027a658c698ae09dd6a92bf · LOLBAS-Project/LOLBAS

  

  Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS

  
  Read More

• Wbadmin | LOLBAS

  Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers. wbadmin start recovery -version: -recoverytarget:C:\temp -i...

  
  Read More

• wbadmin start recovery

  

  Reference article for the wbadmin start recovery command, which runs a recovery operation based on the parameters that you specify.

  
  Read More

• wbadmin start backup

  

  Reference article for the wbadmin start backup command, which creates a backup using specified parameters.

  
  Read More

Related rules

• Sensitive File Dump Via Wbadmin.EXE
• Secretsdump.py Execution
• NTDS.DIT Created
• Active Directory Database Snapshot Via ADExplorer
• Suspicious Active Directory Database Snapshot Via ADExplorer