Skip to content

Hide Navigation Hide TOC

Sensitive File Dump Via Wbadmin.EXE (8b93a509-1cb8-42e1-97aa-ee24224cdc15)

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Cluster A Galaxy A Cluster B Galaxy B Level
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern Sensitive File Dump Via Wbadmin.EXE (8b93a509-1cb8-42e1-97aa-ee24224cdc15) Sigma-Rules 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 2