Sensitive File Dump Via Wbadmin.EXE

Rule Info

Name
Sensitive File Dump Via Wbadmin.EXE
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Description
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
Reference
https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
Date
2024-05-10 00:00:00
Modified
None
Id
8b93a509-1cb8-42e1-97aa-ee24224cdc15
Tags
attack.credential-access attack.t1003.003
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=8b93a509-1cb8-42e1-97aa-ee24224cdc15

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5249 from @nasbench - Promote older rules status from `experimental` to `test`
2025-04-17
29ad6f961
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
frack113
Merge PR #4830 from @frack113 - Enhance Wbadmin based rules
2024-05-13
aaf51bf88
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022