Query Details

Rule : NTDS.dit Dump via wbadmin.exe Abuse

NTD Sdumpwbadmin

Query

DeviceProcessEvents
| where FileName =~ "wbadmin.exe" or ProcessCommandLine contains "wbadmin"
| where ProcessCommandLine contains "ntds.dit" or ProcessCommandLine contains "config\\SYSTEM" or ProcessCommandLine contains "config\\SECURITY"
| project Timestamp,DeviceId, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ReportId

About this query

Rule : NTDS.dit Dump via wbadmin.exe Abuse

Description

Detects abuse of Windows Backup (wbadmin.exe) to export sensitive Active Directory artifacts such as NTDS.dit, SYSTEM, and SECURITY hives. Attackers may use wbadmin start backup with -include flags targeting these files to extract account hashes and secrets.

  • Source: The DFIR Report — From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira (Aug 05, 2025)

Detection Logic

  • Alert on wbadmin.exe or backup tools invoked with -include parameters referencing C:\Windows\NTDS\ntds.dit or C:\Windows\System32\config\SYSTEM or SECURITY.
  • Correlate backup target paths that point to remote shares or user-writable locations.
  • Flag when such operations are initiated by non-admin or unexpected service accounts.

Tags

  • Credential Access
  • Discovery
  • MITRE ATT&CK: T1003 (OS Credential Dumping)

Search Query

Explanation

This query is designed to detect potential security threats involving the misuse of the Windows Backup tool (wbadmin.exe). Specifically, it looks for instances where this tool is used to back up sensitive Active Directory files, such as NTDS.dit, SYSTEM, and SECURITY hives. These files contain critical information like account hashes and secrets, which attackers might try to extract.

Here's a simplified breakdown of the query:

  1. Purpose: Identify suspicious use of wbadmin.exe to back up sensitive files that could indicate an attempt to steal credentials or other sensitive information.

  2. How it Works:

    • It searches for processes where wbadmin.exe is executed or mentioned in the command line.
    • It specifically looks for command lines that include references to ntds.dit, config\SYSTEM, or config\SECURITY.
    • It filters and displays relevant details such as the timestamp, device ID, device name, the account initiating the process, the command line used, and a report ID.
  3. Additional Checks:

    • It flags operations that target remote shares or locations writable by users, which could indicate an attempt to exfiltrate data.
    • It raises alerts if these operations are performed by non-admin users or unexpected service accounts, as these actions are typically restricted to administrative roles.
  4. Tags and Context:

    • The query is associated with credential access and discovery tactics.
    • It aligns with the MITRE ATT&CK framework, specifically technique T1003, which involves OS credential dumping.

Overall, this query helps security teams monitor and respond to potential abuses of backup tools that could lead to unauthorized access to sensitive information.

Details

Ali Hussein profile picture

Ali Hussein

Released: November 10, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsIdNameInitiatingAccountCommandLineReportTimestamp

Operators

=~orcontainsprojectwhere

MITRE Techniques

Actions

GitHub