Rule Info
Name
Sensitive File Recovery From Backup Via Wbadmin.EXE
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Description
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
Date
2024-05-10 00:00:00
Modified
None
Id
84972c80-251c-4c3a-9079-4f00aad93938
Tags
attack.credential-access attack.t1003.003
Type
Community Rule
Link to Public Repo