Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] NTDS Dump via Wbadmin #3758

Merged
merged 4 commits into from
Jun 20, 2024
Merged

[New Rule] NTDS Dump via Wbadmin #3758

merged 4 commits into from
Jun 20, 2024

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jun 5, 2024

Issues

Part of #3005

Summary

Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.

@w0rk3r w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Jun 5, 2024
@w0rk3r w0rk3r self-assigned this Jun 5, 2024
@w0rk3r w0rk3r mentioned this pull request Jun 5, 2024
Closed
w0rk3r
w0rk3r commented Jun 6, 2024
View reviewed changes
rules/windows/credential_access_wbadmin_ntds.toml Outdated
Comment on lines 42 to 43
process where host.os.type == "windows" and event.type == "start" and
process.name : "wbadmin.exe" and process.args : "recovery" and process.args : "*ntds.dit*"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
process where host.os.type == "windows" and event.type == "start" and
process.name : "wbadmin.exe" and process.args : "recovery" and process.args : "*ntds.dit*"
any where host.os.type == "windows" and event.category : ("process", "file") and
event.type in ("start", "creation") and
(
(process.name : "wbadmin.exe" and process.args : "recovery" and process.args : "*ntds.dit*") or
(process.name : "wbengine.exe" and file.name : "ntds.dit")
)

We can also do something like this

terrancedejesus
terrancedejesus approved these changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great addition!

@w0rk3r w0rk3r merged commit 2364442 into main Jun 20, 2024
9 checks passed
@w0rk3r w0rk3r deleted the ntds_wbadmin branch June 20, 2024 12:55
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] NTDS Dump via Wbadmin (#3758)
bfa13d7 
* [New Rule] NTDS Dump via Wbadmin

* Update rules/windows/credential_access_wbadmin_ntds.toml

Co-authored-by: Samirbous <[email protected]>

---------

Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 2364442)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] NTDS Dump via Wbadmin (#3758)
98cb773 
* [New Rule] NTDS Dump via Wbadmin

* Update rules/windows/credential_access_wbadmin_ntds.toml

Co-authored-by: Samirbous <[email protected]>

---------

Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 2364442)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] NTDS Dump via Wbadmin (#3758)
0e6ebd6 
* [New Rule] NTDS Dump via Wbadmin

* Update rules/windows/credential_access_wbadmin_ntds.toml

Co-authored-by: Samirbous <[email protected]>

---------

Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 2364442)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] NTDS Dump via Wbadmin (#3758)
3042a07 
* [New Rule] NTDS Dump via Wbadmin

* Update rules/windows/credential_access_wbadmin_ntds.toml

Co-authored-by: Samirbous <[email protected]>

---------

Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 2364442)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] NTDS Dump via Wbadmin (#3758)
626618b 
* [New Rule] NTDS Dump via Wbadmin

* Update rules/windows/credential_access_wbadmin_ntds.toml

Co-authored-by: Samirbous <[email protected]>

---------

Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 2364442)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] NTDS Dump via Wbadmin (#3758)
6783712 
* [New Rule] NTDS Dump via Wbadmin

* Update rules/windows/credential_access_wbadmin_ntds.toml

Co-authored-by: Samirbous <[email protected]>

---------

Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 2364442)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Aegrah Aegrah Aegrah approved these changes

@Samirbous Samirbous Samirbous approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@w0rk3r @Samirbous @Aegrah @terrancedejesus