Sensitive File Recovery From Backup Via Wbadmin.EXE

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems), frack113
Source: upstream

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003.003` OS Credential Dumping: NTDS

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\wbadmin.exe'
OriginalFileName: WBADMIN.EXE

Stage 2: `all of selection_backup`

or:
CommandLine|contains: '\Windows\NTDS\NTDS.dit'
CommandLine|contains: '\config\SAM'
CommandLine|contains: '\config\SECURITY'
CommandLine|contains: '\config\SYSTEM'
CommandLine|contains: ' recovery'
CommandLine|contains: 'itemtype:File'
CommandLine|contains: recoveryTarget

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`recovery` corpus 2 (sigma 2) `\Windows\NTDS\NTDS.dit` corpus 2 (sigma 2) `\config\SAM` corpus 2 (sigma 2) `\config\SECURITY` corpus 2 (sigma 2) `\config\SYSTEM` corpus 2 (sigma 2) `itemtype:File` corpus 2 (sigma 2) `recoveryTarget` corpus 2 (sigma 2)
`Image`	ends_with	`\wbadmin.exe` corpus 6 (sigma 6)
`OriginalFileName`	eq	`WBADMIN.EXE` corpus 6 (sigma 6)