Windows Backup Deleted Via Wbadmin.EXE

Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.

Sigma rule (View on GitHub)

 1title: Windows Backup Deleted Via Wbadmin.EXE
 2id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
 3related:
 4    - id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
 5      type: derived
 6status: test
 7description: |
 8    Detects the deletion of backups or system state backups via "wbadmin.exe".
 9    This technique is used by numerous ransomware families and actors.
10    This may only be successful on server platforms that have Windows Backup enabled.    
11references:
12    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
13    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
14    - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
15    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
16    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
17    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
18author: frack113, Nasreddine Bencherchali (Nextron Systems)
19date: 2021-12-13
20modified: 2024-05-10
21tags:
22    - attack.impact
23    - attack.t1490
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection_img:
29        - Image|endswith: '\wbadmin.exe'
30        - OriginalFileName: 'WBADMIN.EXE'
31    selection_cli:
32        CommandLine|contains|all:
33            - 'delete '
34            - 'backup' # Also covers "SYSTEMSTATEBACKUP"
35    filter_main_keep_versions:
36        # Note: We exclude this to avoid duplicate alerts with 639c9081-f482-47d3-a0bd-ddee3d4ecd76
37        CommandLine|contains: 'keepVersions:0'
38    condition: all of selection_* and not 1 of filter_main_*
39falsepositives:
40    - Legitimate backup activity from administration scripts and software.
41level: medium

References

Related rules

to-top