NTDS Dump via Wbadmin Execution
Adversaries with Backup Operator privileges can abuse the legitimate Windows utility `wbadmin.exe` to dump the NTDS.dit file, enabling credential access and domain compromise.
This rule detects the execution of wbadmin.exe with arguments indicative of an attempt to access and dump the NTDS.dit file on a domain controller. Attackers often leverage this technique after gaining sufficient privileges, such as membership in the Backup Operators group. By abusing wbadmin.exe, adversaries bypass traditional credential access controls. The NTDS.dit file contains sensitive credential information, and successful exfiltration can lead to complete domain compromise. Defenders should monitor wbadmin.exe execution, especially when combined with specific arguments related to NTDS.dit access, to identify potential credential dumping activities. The technique leverages legitimate system administration tools for malicious purposes, making it harder to detect without specific rules. The scope of this attack affects Windows domain controllers.
Attack Chain
- An attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.
- The attacker escalates privileges to obtain Backup Operators group membership or equivalent privileges necessary to run
wbadmin.exe. - The attacker executes
wbadmin.exewith therecoveryparameter and a command line that includes a reference to thentds.ditfile. wbadmin.exeinitiates a backup process that includes the NTDS.dit file, potentially storing it in a temporary location.- The attacker retrieves the backed-up
ntds.ditfile from the temporary location. - The attacker uses tools like
ntdsutil.exeorsecretsdump.pyto extract password hashes from thentds.ditfile. - The attacker cracks the extracted password hashes or uses them in pass-the-hash attacks.
- Using the compromised credentials, the attacker moves laterally within the network to access sensitive resources and data, or achieves complete domain dominance.
Impact
A successful NTDS.dit dump allows attackers to extract password hashes for all domain users and service accounts. This grants them the ability to impersonate legitimate users, access sensitive data, and move laterally throughout the network. The impact can range from data breaches and financial loss to complete disruption of business operations. The risk is especially high for organizations that do not implement strong password policies or multi-factor authentication, as cracked passwords provide immediate access. Compromised domain administrator accounts can lead to complete domain takeover, requiring extensive recovery efforts.
Recommendation
- Deploy the Sigma rule
NTDS Dump via Wbadminto your SIEM and tune for your environment to detect the malicious use ofwbadmin.exe(rule). - Review user accounts with Backup Operators privileges and remove any unauthorized accounts (overview).
- Monitor process creation events for
wbadmin.exeexecution with command-line arguments related tontds.dit(rule). - Enable Sysmon process-creation logging to activate the rule above (rule).
- Implement strict access controls on domain controllers to prevent unauthorized access to the NTDS.dit file (overview).
- Implement enhanced monitoring and logging for wbadmin.exe usage across all domain controllers to detect future unauthorized access attempts (overview).
Detection coverage 2
NTDS Dump via Wbadmin
mediumDetects the execution of wbadmin with arguments used to dump the NTDS.dit file.
Suspicious Wbadmin Execution from Non-Standard Path
lowDetects wbadmin.exe execution from a non-standard path, which might indicate malicious activity.
Detection queries are available on the platform. Get full rules →