All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Sigma rule (View on GitHub)
1title: All Backups Deleted Via Wbadmin.EXE
2id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
3related:
4 - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
5 type: derived
6status: test
7description: |
8 Detects the deletion of all backups or system state backups via "wbadmin.exe".
9 This technique is used by numerous ransomware families and actors.
10 This may only be successful on server platforms that have Windows Backup enabled.
11references:
12 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
13 - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
14 - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
15 - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
16 - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
17 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
18author: frack113, Nasreddine Bencherchali (Nextron Systems)
19date: 2021/12/13
20modified: 2024/05/10
21tags:
22 - attack.impact
23 - attack.t1490
24logsource:
25 category: process_creation
26 product: windows
27detection:
28 selection_img:
29 - Image|endswith: '\wbadmin.exe'
30 - OriginalFileName: 'WBADMIN.EXE'
31 selection_cli:
32 CommandLine|contains|all:
33 - 'delete'
34 - 'backup' # Also covers "SYSTEMSTATEBACKUP"
35 CommandLine|contains: 'keepVersions:0'
36 condition: all of selection_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- File Recovery From Backup Via Wbadmin.EXE
- Windows Backup Deleted Via Wbadmin.EXE
- Suspicious Volume Shadow Copy VSS_PS.dll Load
- WMI Shadow Copy Deletion
- Suspicious Volume Shadow Copy Vssapi.dll Load