WBadmin NTDS Dump
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
WBadmin NTDS Dump | Standard | Sysmon, Windows | Credential Access: OS Credential Dumping (T1003.003) | Critical |
About the rule
Rule Type
Standard
Rule Description
Identifies the execution of wbadmin.exe to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain by extracting the Active Directory database.
Why this rule?
This command extracts the Active Directory database (NTDS.dit), which contains all domain credentials including password hashes. Successful execution gives attackers the keys to your entire domain, enabling complete network compromise. Detecting NTDS extraction attempts is critical for preventing domain-wide credential theft.
Severity
Critical
Rule journey
Attack chain scenario
Privilege Escalation → Credential Access → Execution of WBadmin → Recovery of NTDS.dit → Offline password cracking and Domain Admin compromise.
Impact
Total domain compromise. If the NTDS.dit file is exfiltrated, adversaries can crack the hashes of all domain users, including administrative accounts.
Rule Requirement
Prerequisites
Enable Process Creation auditing (Event ID 4688) with Command Line details enabled on Domain Controllers.
Criteria
Action1:
actionname = "Process started" AND ((PROCESSNAME endswith "wbadmin.exe" OR ORIGINALFILENAME = "wbadmin.exe") AND (COMMANDLINE contains "recovery" AND COMMANDLINE contains "ntds.dit"))
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Active Directory
MITRE ATT&CK
Credential Access: OS Credential Dumping (T1003.003)
Author
@Nasreddine Bencherchali (Nextron Systems), frack113
Future actions
Known False Positives
Legitimate backup recovery operations conducted by authorized domain administrators during a disaster recovery exercise or system maintenance.
Next Steps
- Identification: Identify the user account and host that initiated the command.
- Analysis: Determine if the recovery of NTDS.dit was authorized and documented in a change ticket.
- Response: If unauthorized, isolate the Domain Controller and initiate a domain-wide password reset for high-privilege accounts.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Ensure Domain Controller backups are properly secured.[2] | ||
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. | ||
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. | ||
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
