All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Sigma rule (View on GitHub)
1title: All Backups Deleted Via Wbadmin.EXE
2id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
3related:
4 - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
5 type: derived
6status: test
7description: |
8 Detects the deletion of all backups or system state backups via "wbadmin.exe".
9 This technique is used by numerous ransomware families and actors.
10 This may only be successful on server platforms that have Windows Backup enabled.
11references:
12 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
13 - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
14 - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
15 - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
16 - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
17 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
18author: frack113, Nasreddine Bencherchali (Nextron Systems)
19date: 2021/12/13
20modified: 2024/05/10
21tags:
22 - attack.impact
23 - attack.t1490
24logsource:
25 category: process_creation
26 product: windows
27detection:
28 selection_img:
29 - Image|endswith: '\wbadmin.exe'
30 - OriginalFileName: 'WBADMIN.EXE'
31 selection_cli:
32 CommandLine|contains|all:
33 - 'delete'
34 - 'backup' # Also covers "SYSTEMSTATEBACKUP"
35 CommandLine|contains: 'keepVersions:0'
36 condition: all of selection_*
37falsepositives:
38 - Unknown
39level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Notes and IoCs of fresh malware. Contribute to albertzsigovits/malware-notes development by creating an account on GitHub.
Read More -
The Ranzy ransomware operators have learned from their mistakes and adapted quickly after ThunderX decryptors became publicly available.
Read More -
In this report, we discussed new ransomware family Avaddon, updates on techniques of other ransomware, and our latest figures.
Read More -
%PDF-1.7 %µµµµ 1 0 obj /Metadata 461 0 R/ViewerPreferences 462 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /Font /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Content...
Read More -
Reference article for the wbadmin delete systemstatebackup command, which deletes the system state backups that you specify.
Read More
Related rules
- File Recovery From Backup Via Wbadmin.EXE
- Windows Backup Deleted Via Wbadmin.EXE
- Suspicious Volume Shadow Copy VSS_PS.dll Load
- WMI Shadow Copy Deletion
- Suspicious Volume Shadow Copy Vssapi.dll Load