LOLBAS wbadmin rule #4830

frack113 · 2024-04-20T07:42:35Z

Summary of the Pull Request

Add rule for https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wbadmin.yml

Changelog

new: All Backups Deleted Via Wbadmin.EXE
update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage
new: Sensitive File Dump Via Wbadmin.EXE
new: File Recovery From Backup Via Wbadmin.EXE
new: Sensitive File Recovery From Backup Via Wbadmin.EXE

Example Log Event

<EventData>
  <Data>Sigma rule match found: Copying Sensitive Files with Credential Data (see Details tab for more information)</Data> 
  <Data>Module: Sigma</Data> 
  <Data>Rule_Title: Copying Sensitive Files with Credential Data</Data> 
  <Data>Rule_Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community</Data> 
  <Data>Rule_Description: Files with well-known filenames (sensitive files with credential data) copying</Data> 
  <Data>Rule_FalsePositives: Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator</Data> 
  <Data>Rule_Id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f</Data> 
  <Data>Rule_Level: high</Data> 
  <Data>Rule_Link: https://github.com/SigmaHQ/sigma/blob/r2024-03-26-28-ge1a713d26/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml</Data> 
  <Data>Rule_Modified: 2022/11/11</Data> 
  <Data>Rule_Path: public\windows\process_creation\proc_creation_win_esentutl_sensitive_file_copy.yml</Data> 
  <Data>Rule_References: https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/</Data> 
  <Data>Rule_Sigtype: public</Data> 
  <Data>CommandLine: wbadmin.exe start backup -backupTarget:C:\temp\ -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet</Data> 
  <Data>Company: Microsoft Corporation</Data> 
  <Data>Computer: WIN2022</Data> 
  <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
  <Data>Description: Command Line Interface for Microsoft® BLB Backup</Data> 
  <Data>DirectoryTableBase: 0x1256F8000</Data> 
  <Data>EventID: 1</Data> 
  <Data>Execution_ProcessID: 5476</Data> 
  <Data>Execution_ThreadID: 6980</Data> 
  <Data>ExitStatus: 259</Data> 
  <Data>FileAge: 1077d23h11m11s</Data> 
  <Data>FileCreationDate: 2021-05-08T10:16:08</Data> 
  <Data>FileVersion: 10.0.20348.1 (WinBuild.160101.0800)</Data> 
  <Data>Flags: 0</Data> 
  <Data>GrandparentCommandLine: "C:\Windows\Explorer.EXE" /NoUACCheck</Data> 
  <Data>GrandparentImage: C:\Windows\explorer.exe</Data> 
  <Data>GrandparentProcessId: 5304</Data> 
  <Data>Hashes: MD5=B8BDD86CA67E182CCD7B8D87F6A63BFA,SHA1=0BA19A8E7A6CF7525063365C58FC4C116BDA79D1,SHA256=CF64AB120342377CE266E740F0D04D5CC7D9DE2D7E54C1EF872F524525DBBDCE,IMPHASH=6858CD4B0763C9E4C7420DB6DC922801</Data> 
  <Data>Image: C:\Windows\System32\wbadmin.exe</Data> 
  <Data>ImageFileName: wbadmin.exe</Data> 
  <Data>IntegrityLevel: System</Data> 
  <Data>Keywords: 0x0</Data> 
  <Data>Level: 0</Data> 
  <Data>Match_Strings: \Windows\NTDS\NTDS.dit in CommandLine, '\\config\\SYSTEM ' in CommandLine</Data> 
  <Data>Opcode: 1</Data> 
  <Data>OriginalFileName: WBADMIN.EXE</Data> 
  <Data>ParentCommandLine: "C:\Windows\system32\cmd.exe"</Data> 
  <Data>ParentId: 0x1564</Data> 
  <Data>ParentImage: C:\Windows\System32\cmd.exe</Data> 
  <Data>ParentProcessId: 5476</Data> 
  <Data>ParentUser: LAB\Administrateur</Data> 
  <Data>ProcessId: 4220</Data> 
  <Data>ProcessTree: C:\Windows\System32\wininit.exe|C:\Windows\System32\services.exe|C:\Windows\System32\svchost.exe|C:\Windows\explorer.exe|C:\Windows\System32\cmd.exe|C:\Windows\System32\wbadmin.exe</Data> 
  <Data>Product: Microsoft® Windows® Operating System</Data> 
  <Data>Provider_Guid: {3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}</Data> 
  <Data>Provider_Name: SystemTraceProvider-Process</Data> 
  <Data>SessionId: 1</Data> 
  <Data>Task: 0</Data> 
  <Data>TimeCreated_SystemTime: 2024-04-20T09:27:20.2909315+02:00</Data> 
  <Data>Timestamp: 2014-11-08T10:50:44</Data> 
  <Data>UniqueProcessKey: 0xFFFFD18FAC9CE080</Data> 
  <Data>User: LAB\Administrateur</Data> 
  <Data>UserSID: \\LAB\Administrateur</Data> 
  <Data>UtcTime: 2024-04-20 07:27:20</Data> 
  <Data>Version: 4</Data> 
  <Data>Winversion: 20348</Data> 
  </EventData>

Fixed Issues

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

$frack113$

frack113 added 2 commits April 20, 2024 09:36

$@frack113$

Add LOLBAS ref

258aaa8

$@frack113$

Add wbadmin rule

0ac54ce

github-actions bot added Rules Windows Pull request add/update windows related rules labels Apr 20, 2024

$@frack113$

Fix title

2f3cd06

$@frack113$ frack113 marked this pull request as ready for review April 20, 2024 09:04

nasbench added the Work In Progress Some changes are needed label Apr 22, 2024

nasbench self-requested a review April 22, 2024 08:11

nasbench self-assigned this Apr 22, 2024

feat: improve wbadmin rules

23bdf18

nasbench approved these changes May 13, 2024

View reviewed changes

nasbench removed the Work In Progress Some changes are needed label May 13, 2024

nasbench merged commit aaf51bf into SigmaHQ:master May 13, 2024
12 checks passed

$@frack113$ frack113 deleted the lolbas_wbadmin branch May 13, 2024 11:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LOLBAS wbadmin rule #4830

LOLBAS wbadmin rule #4830

$@frack113$ frack113 commented Apr 20, 2024 •

edited by nasbench

LOLBAS wbadmin rule #4830

LOLBAS wbadmin rule #4830

Conversation

frack113 commented Apr 20, 2024 • edited by nasbench

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

$@frack113$ frack113 commented Apr 20, 2024 •

edited by nasbench