← Back to Explore
sigmamediumHunting
Windows Backup Deleted Via Wbadmin.EXE
Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Detection Query
selection_img:
- Image|endswith: \wbadmin.exe
- OriginalFileName: WBADMIN.EXE
selection_cli:
CommandLine|contains|all:
- "delete "
- backup
filter_main_keep_versions:
CommandLine|contains: keepVersions:0
condition: all of selection_* and not 1 of filter_main_*
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Created
2021-12-13
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
Tags
attack.impactattack.t1490
Raw Content
title: Windows Backup Deleted Via Wbadmin.EXE
id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
related:
- id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
type: derived
status: test
description: |
Detects the deletion of backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-13
modified: 2024-05-10
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_cli:
CommandLine|contains|all:
- 'delete '
- 'backup' # Also covers "SYSTEMSTATEBACKUP"
filter_main_keep_versions:
# Note: We exclude this to avoid duplicate alerts with 639c9081-f482-47d3-a0bd-ddee3d4ecd76
CommandLine|contains: 'keepVersions:0'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate backup activity from administration scripts and software.
level: medium