Skip to content

Hide Navigation Hide TOC

Sensitive File Recovery From Backup Via Wbadmin.EXE (84972c80-251c-4c3a-9079-4f00aad93938)

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Cluster A Galaxy A Cluster B Galaxy B Level
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern Sensitive File Recovery From Backup Via Wbadmin.EXE (84972c80-251c-4c3a-9079-4f00aad93938) Sigma-Rules 1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2