Merge PR SigmaHQ#4830 from @frack113 - Enhance Wbadmin based rules

new: All Backups Deleted Via Wbadmin.EXE
new: Sensitive File Dump Via Wbadmin.EXE
new: File Recovery From Backup Via Wbadmin.EXE
new: Sensitive File Recovery From Backup Via Wbadmin.EXE
update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage

---------

Co-authored-by: nasbench <[email protected]>

rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml

@@ -6,6 +6,7 @@ references:
     - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
     - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
 author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/22
 modified: 2022/11/11

rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml

@@ -0,0 +1,39 @@
+title: All Backups Deleted Via Wbadmin.EXE
+id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
+related:
+    - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
+      type: derived
+status: test
+description: |
+    Detects the deletion of all backups or system state backups via "wbadmin.exe".
+    This technique is used by numerous ransomware families and actors.
+    This may only be successful on server platforms that have Windows Backup enabled.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
+    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
+    - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
+    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
+    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2021/12/13
+modified: 2024/05/10
+tags:
+    - attack.impact
+    - attack.t1490
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\wbadmin.exe'
+        - OriginalFileName: 'WBADMIN.EXE'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'delete'
+            - 'backup' # Also covers "SYSTEMSTATEBACKUP"
+        CommandLine|contains: 'keepVersions:0'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml

@@ -0,0 +1,41 @@
+title: Windows Backup Deleted Via Wbadmin.EXE
+id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
+related:
+    - id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
+      type: derived
+status: test
+description: |
+    Detects the deletion of backups or system state backups via "wbadmin.exe".
+    This technique is used by numerous ransomware families and actors.
+    This may only be successful on server platforms that have Windows Backup enabled.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
+    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
+    - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
+    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
+    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2021/12/13
+modified: 2024/05/10
+tags:
+    - attack.impact
+    - attack.t1490
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\wbadmin.exe'
+        - OriginalFileName: 'WBADMIN.EXE'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'delete '
+            - 'backup' # Also covers "SYSTEMSTATEBACKUP"
+    filter_main_keep_versions:
+        # Note: We exclude this to avoid duplicate alerts with 639c9081-f482-47d3-a0bd-ddee3d4ecd76
+        CommandLine|contains: 'keepVersions:0'
+    condition: all of selection_* and not 1 of filter_main_*
+falsepositives:
+    - Legitimate backup activity from administration scripts and software.
+level: medium

rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml

@@ -0,0 +1,37 @@
+title: Sensitive File Dump Via Wbadmin.EXE
+id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15
+status: experimental
+description: |
+    Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
+    Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
+    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
+author: Nasreddine Bencherchali (Nextron Systems), frack113
+date: 2024/05/10
+tags:
+    - attack.credential_access
+    - attack.t1003.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\wbadmin.exe'
+        - OriginalFileName: 'WBADMIN.EXE'
+    selection_backup:
+        CommandLine|contains:
+            - 'start'
+            - 'backup'
+    selection_path:
+        CommandLine|contains:
+            - '\config\SAM'
+            - '\config\SECURITY'
+            - '\config\SYSTEM'
+            - '\Windows\NTDS\NTDS.dit'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis.
+level: high

rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml

@@ -0,0 +1,33 @@
+title: File Recovery From Backup Via Wbadmin.EXE
+id: 6fe4aa1e-0531-4510-8be2-782154b73b48
+related:
+    - id: 84972c80-251c-4c3a-9079-4f00aad93938
+      type: derived
+status: experimental
+description: |
+    Detects the recovery of files from backups via "wbadmin.exe".
+    Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
+references:
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
+    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
+author: Nasreddine Bencherchali (Nextron Systems), frack113
+date: 2024/05/10
+tags:
+    - attack.impact
+    - attack.t1490
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\wbadmin.exe'
+        - OriginalFileName: 'WBADMIN.EXE'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' recovery'
+            - 'recoveryTarget'
+            - 'itemtype:File'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml

@@ -0,0 +1,40 @@
+title: Sensitive File Recovery From Backup Via Wbadmin.EXE
+id: 84972c80-251c-4c3a-9079-4f00aad93938
+related:
+    - id: 6fe4aa1e-0531-4510-8be2-782154b73b48
+      type: derived
+status: experimental
+description: |
+    Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
+    Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
+    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
+author: Nasreddine Bencherchali (Nextron Systems), frack113
+date: 2024/05/10
+tags:
+    - attack.credential_access
+    - attack.t1003.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\wbadmin.exe'
+        - OriginalFileName: 'WBADMIN.EXE'
+    selection_backup:
+        CommandLine|contains|all:
+            - ' recovery'
+            - 'recoveryTarget'
+            - 'itemtype:File'
+        CommandLine|contains:
+            - '\config\SAM'
+            - '\config\SECURITY'
+            - '\config\SYSTEM'
+            - '\Windows\NTDS\NTDS.dit'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high