Skip to content

Hide Navigation Hide TOC

Sensitive File Recovery From Backup Via Wbadmin.EXE (84972c80-251c-4c3a-9079-4f00aad93938)

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Cluster A Galaxy A Cluster B Galaxy B Level
Sensitive File Recovery From Backup Via Wbadmin.EXE (84972c80-251c-4c3a-9079-4f00aad93938) Sigma-Rules NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 2