← Back to Explore
sigmamediumHunting
File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
Detection Query
selection_img:
- Image|endswith: \wbadmin.exe
- OriginalFileName: WBADMIN.EXE
selection_cli:
CommandLine|contains|all:
- " recovery"
- recoveryTarget
- itemtype:File
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Created
2024-05-10
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.impactattack.t1490
Raw Content
title: File Recovery From Backup Via Wbadmin.EXE
id: 6fe4aa1e-0531-4510-8be2-782154b73b48
related:
- id: 84972c80-251c-4c3a-9079-4f00aad93938
type: derived
status: test
description: |
Detects the recovery of files from backups via "wbadmin.exe".
Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_cli:
CommandLine|contains|all:
- ' recovery'
- 'recoveryTarget'
- 'itemtype:File'
condition: all of selection_*
falsepositives:
- Unknown
level: medium