Skip to content

Hide Navigation Hide TOC

Sensitive File Dump Via Wbadmin.EXE (8b93a509-1cb8-42e1-97aa-ee24224cdc15)

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Cluster A Galaxy A Cluster B Galaxy B Level
Sensitive File Dump Via Wbadmin.EXE (8b93a509-1cb8-42e1-97aa-ee24224cdc15) Sigma-Rules NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2