legitimate backup operation by authorized administrators. matches must be investigated and allowed on a case by case basis.

t1003
t1003.003
windows
sigma

Techniques

t1003
t1003.003

Sample rules

Sensitive File Dump Via Wbadmin.EXE

source: sigma
technicques:
- t1003
- t1003.003

Description

Detects the dump of highly sensitive files such as “NTDS.DIT” and “SECURITY” hive. Attackers can leverage the “wbadmin” utility in order to dump sensitive files that might contain credential or sensitive information.

Detection logic

condition: all of selection_*
selection_backup:
  CommandLine|contains:
  - start
  - backup
selection_img:
- Image|endswith: \wbadmin.exe
- OriginalFileName: WBADMIN.EXE
selection_path:
  CommandLine|contains:
  - \config\SAM
  - \config\SECURITY
  - \config\SYSTEM
  - \Windows\NTDS\NTDS.dit