← Back to Explore
sigmahighHunting
Sensitive File Dump Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
Detection Query
selection_img:
- Image|endswith: \wbadmin.exe
- OriginalFileName: WBADMIN.EXE
selection_backup:
CommandLine|contains:
- start
- backup
selection_path:
CommandLine|contains:
- \config\SAM
- \config\SECURITY
- \config\SYSTEM
- \Windows\NTDS\NTDS.dit
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Created
2024-05-10
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
Tags
attack.credential-accessattack.t1003.003
Raw Content
title: Sensitive File Dump Via Wbadmin.EXE
id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15
status: test
description: |
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_backup:
CommandLine|contains:
- 'start'
- 'backup'
selection_path:
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\Windows\NTDS\NTDS.dit'
condition: all of selection_*
falsepositives:
- Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis.
level: high