Rule : NTDS.dit Dump via wbadmin.exe Abuse
NTD Sdumpwbadmin
Query
DeviceProcessEvents
| where FileName =~ "wbadmin.exe" or ProcessCommandLine contains "wbadmin"
| where ProcessCommandLine contains "ntds.dit" or ProcessCommandLine contains "config\\SYSTEM" or ProcessCommandLine contains "config\\SECURITY"
| project Timestamp,DeviceId, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ReportIdAbout this query
Rule : NTDS.dit Dump via wbadmin.exe Abuse
Description
Detects abuse of Windows Backup (wbadmin.exe) to export sensitive Active Directory artifacts such as NTDS.dit, SYSTEM, and SECURITY hives. Attackers may use wbadmin start backup with -include flags targeting these files to extract account hashes and secrets.
- Source: The DFIR Report — From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira (Aug 05, 2025)
Detection Logic
- Alert on
wbadmin.exeor backup tools invoked with-includeparameters referencingC:\Windows\NTDS\ntds.ditorC:\Windows\System32\config\SYSTEMorSECURITY. - Correlate backup target paths that point to remote shares or user-writable locations.
- Flag when such operations are initiated by non-admin or unexpected service accounts.
Tags
- Credential Access
- Discovery
- MITRE ATT&CK: T1003 (OS Credential Dumping)
Search Query
Explanation
This query is designed to detect potential security threats involving the misuse of the Windows Backup tool (wbadmin.exe). Specifically, it looks for instances where this tool is used to back up sensitive Active Directory files, such as NTDS.dit, SYSTEM, and SECURITY hives. These files contain critical information like account hashes and secrets, which attackers might try to extract.
Here's a simplified breakdown of the query:
-
Purpose: Identify suspicious use of
wbadmin.exeto back up sensitive files that could indicate an attempt to steal credentials or other sensitive information. -
How it Works:
- It searches for processes where
wbadmin.exeis executed or mentioned in the command line. - It specifically looks for command lines that include references to
ntds.dit,config\SYSTEM, orconfig\SECURITY. - It filters and displays relevant details such as the timestamp, device ID, device name, the account initiating the process, the command line used, and a report ID.
- It searches for processes where
-
Additional Checks:
- It flags operations that target remote shares or locations writable by users, which could indicate an attempt to exfiltrate data.
- It raises alerts if these operations are performed by non-admin users or unexpected service accounts, as these actions are typically restricted to administrative roles.
-
Tags and Context:
- The query is associated with credential access and discovery tactics.
- It aligns with the MITRE ATT&CK framework, specifically technique T1003, which involves OS credential dumping.
Overall, this query helps security teams monitor and respond to potential abuses of backup tools that could lead to unauthorized access to sensitive information.
