sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

LOLBAS wbadmin rule

Open frack113 opened this issue 10 months ago • 0 comments

Summary of the Pull Request

Add rule for https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wbadmin.yml

Changelog

add: Wbadmin NTDS.dit or SYSTEM hive access chore: Add LOLBAS reference to proc_creation_win_esentutl_sensitive_file_copy

Example Log Event

<EventData>
  <Data>Sigma rule match found: Copying Sensitive Files with Credential Data (see Details tab for more information)</Data> 
  <Data>Module: Sigma</Data> 
  <Data>Rule_Title: Copying Sensitive Files with Credential Data</Data> 
  <Data>Rule_Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community</Data> 
  <Data>Rule_Description: Files with well-known filenames (sensitive files with credential data) copying</Data> 
  <Data>Rule_FalsePositives: Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator</Data> 
  <Data>Rule_Id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f</Data> 
  <Data>Rule_Level: high</Data> 
  <Data>Rule_Link: https://github.com/SigmaHQ/sigma/blob/r2024-03-26-28-ge1a713d26/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml</Data> 
  <Data>Rule_Modified: 2022/11/11</Data> 
  <Data>Rule_Path: public\windows\process_creation\proc_creation_win_esentutl_sensitive_file_copy.yml</Data> 
  <Data>Rule_References: https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/</Data> 
  <Data>Rule_Sigtype: public</Data> 
  <Data>CommandLine: wbadmin.exe start backup -backupTarget:C:\temp\ -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet</Data> 
  <Data>Company: Microsoft Corporation</Data> 
  <Data>Computer: WIN2022</Data> 
  <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
  <Data>Description: Command Line Interface for Microsoft® BLB Backup</Data> 
  <Data>DirectoryTableBase: 0x1256F8000</Data> 
  <Data>EventID: 1</Data> 
  <Data>Execution_ProcessID: 5476</Data> 
  <Data>Execution_ThreadID: 6980</Data> 
  <Data>ExitStatus: 259</Data> 
  <Data>FileAge: 1077d23h11m11s</Data> 
  <Data>FileCreationDate: 2021-05-08T10:16:08</Data> 
  <Data>FileVersion: 10.0.20348.1 (WinBuild.160101.0800)</Data> 
  <Data>Flags: 0</Data> 
  <Data>GrandparentCommandLine: "C:\Windows\Explorer.EXE" /NoUACCheck</Data> 
  <Data>GrandparentImage: C:\Windows\explorer.exe</Data> 
  <Data>GrandparentProcessId: 5304</Data> 
  <Data>Hashes: MD5=B8BDD86CA67E182CCD7B8D87F6A63BFA,SHA1=0BA19A8E7A6CF7525063365C58FC4C116BDA79D1,SHA256=CF64AB120342377CE266E740F0D04D5CC7D9DE2D7E54C1EF872F524525DBBDCE,IMPHASH=6858CD4B0763C9E4C7420DB6DC922801</Data> 
  <Data>Image: C:\Windows\System32\wbadmin.exe</Data> 
  <Data>ImageFileName: wbadmin.exe</Data> 
  <Data>IntegrityLevel: System</Data> 
  <Data>Keywords: 0x0</Data> 
  <Data>Level: 0</Data> 
  <Data>Match_Strings: \Windows\NTDS\NTDS.dit in CommandLine, '\\config\\SYSTEM ' in CommandLine</Data> 
  <Data>Opcode: 1</Data> 
  <Data>OriginalFileName: WBADMIN.EXE</Data> 
  <Data>ParentCommandLine: "C:\Windows\system32\cmd.exe"</Data> 
  <Data>ParentId: 0x1564</Data> 
  <Data>ParentImage: C:\Windows\System32\cmd.exe</Data> 
  <Data>ParentProcessId: 5476</Data> 
  <Data>ParentUser: LAB\Administrateur</Data> 
  <Data>ProcessId: 4220</Data> 
  <Data>ProcessTree: C:\Windows\System32\wininit.exe|C:\Windows\System32\services.exe|C:\Windows\System32\svchost.exe|C:\Windows\explorer.exe|C:\Windows\System32\cmd.exe|C:\Windows\System32\wbadmin.exe</Data> 
  <Data>Product: Microsoft® Windows® Operating System</Data> 
  <Data>Provider_Guid: {3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}</Data> 
  <Data>Provider_Name: SystemTraceProvider-Process</Data> 
  <Data>SessionId: 1</Data> 
  <Data>Task: 0</Data> 
  <Data>TimeCreated_SystemTime: 2024-04-20T09:27:20.2909315+02:00</Data> 
  <Data>Timestamp: 2014-11-08T10:50:44</Data> 
  <Data>UniqueProcessKey: 0xFFFFD18FAC9CE080</Data> 
  <Data>User: LAB\Administrateur</Data> 
  <Data>UserSID: \\LAB\Administrateur</Data> 
  <Data>UtcTime: 2024-04-20 07:27:20</Data> 
  <Data>Version: 4</Data> 
  <Data>Winversion: 20348</Data> 
  </EventData>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

frack113 avatar Apr 20 '24 07:04 frack113