KQL Search

Query Details

HomeAI ToolsDevice Query

NTD Sdumpwbadmin

Query

# Rule : NTDS.dit Dump via wbadmin.exe Abuse

## Description
Detects abuse of Windows Backup (`wbadmin.exe`) to export sensitive Active Directory artifacts such as `NTDS.dit`, `SYSTEM`, and `SECURITY` hives. Attackers may use `wbadmin start backup` with `-include` flags targeting these files to extract account hashes and secrets.

- **Source:** The DFIR Report — From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira (Aug 05, 2025)

## Detection Logic
- Alert on `wbadmin.exe` or backup tools invoked with `-include` parameters referencing `C:\Windows\NTDS\ntds.dit` or `C:\Windows\System32\config\SYSTEM` or `SECURITY`.
- Correlate backup target paths that point to remote shares or user-writable locations.
- Flag when such operations are initiated by non-admin or unexpected service accounts.

## Tags
- Credential Access  
- Discovery  
- MITRE ATT&CK: T1003 (OS Credential Dumping)

## Search Query
```kql
DeviceProcessEvents
| where FileName =~ "wbadmin.exe" or ProcessCommandLine contains "wbadmin"
| where ProcessCommandLine contains "ntds.dit" or ProcessCommandLine contains "config\\SYSTEM" or ProcessCommandLine contains "config\\SECURITY"
| project Timestamp,DeviceId, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ReportId
```

Explanation

This query is designed to detect potential security threats involving the misuse of the Windows Backup tool (wbadmin.exe). Specifically, it looks for instances where this tool is used to back up sensitive Active Directory files, such as NTDS.dit, SYSTEM, and SECURITY hives. These files contain critical information like account hashes and secrets, which attackers might try to extract.

Here's a simplified breakdown of the query:

  1. Purpose: Identify suspicious use of wbadmin.exe to back up sensitive files that could indicate an attempt to steal credentials or other sensitive information.

  2. How it Works:

    • It searches for processes where wbadmin.exe is executed or mentioned in the command line.
    • It specifically looks for command lines that include references to ntds.dit, config\SYSTEM, or config\SECURITY.
    • It filters and displays relevant details such as the timestamp, device ID, device name, the account initiating the process, the command line used, and a report ID.

  3. Additional Checks:

    • It flags operations that target remote shares or locations writable by users, which could indicate an attempt to exfiltrate data.
    • It raises alerts if these operations are performed by non-admin users or unexpected service accounts, as these actions are typically restricted to administrative roles.

  4. Tags and Context:

    • The query is associated with credential access and discovery tactics.
    • It aligns with the MITRE ATT&CK framework, specifically technique T1003, which involves OS credential dumping.

Overall, this query helps security teams monitor and respond to potential abuses of backup tools that could lead to unauthorized access to sensitive information.

Details

Ali Hussein profile picture

Ali Hussein

Released: November 10, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsDeviceIdDeviceNameInitiatingProcessAccountNameProcessCommandLineReportIdTimestamp

Operators

=~orcontainsprojectwhere

Actions