Windows Backup Deleted Via Wbadmin.EXE
Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Sigma rule (View on GitHub)
1title: Windows Backup Deleted Via Wbadmin.EXE
2id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
3related:
4 - id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
5 type: derived
6status: test
7description: |
8 Detects the deletion of backups or system state backups via "wbadmin.exe".
9 This technique is used by numerous ransomware families and actors.
10 This may only be successful on server platforms that have Windows Backup enabled.
11references:
12 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
13 - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
14 - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
15 - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
16 - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
17 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
18author: frack113, Nasreddine Bencherchali (Nextron Systems)
19date: 2021-12-13
20modified: 2024-05-10
21tags:
22 - attack.impact
23 - attack.t1490
24logsource:
25 category: process_creation
26 product: windows
27detection:
28 selection_img:
29 - Image|endswith: '\wbadmin.exe'
30 - OriginalFileName: 'WBADMIN.EXE'
31 selection_cli:
32 CommandLine|contains|all:
33 - 'delete '
34 - 'backup' # Also covers "SYSTEMSTATEBACKUP"
35 filter_main_keep_versions:
36 # Note: We exclude this to avoid duplicate alerts with 639c9081-f482-47d3-a0bd-ddee3d4ecd76
37 CommandLine|contains: 'keepVersions:0'
38 condition: all of selection_* and not 1 of filter_main_*
39falsepositives:
40 - Legitimate backup activity from administration scripts and software.
41level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Notes and IoCs of fresh malware. Contribute to albertzsigovits/malware-notes development by creating an account on GitHub.
Read More -
The Ranzy ransomware operators have learned from their mistakes and adapted quickly after ThunderX decryptors became publicly available.
Read More -
In this report, we discussed new ransomware family Avaddon, updates on techniques of other ransomware, and our latest figures.
Read More -
%PDF-1.7 %µµµµ 1 0 obj /Metadata 461 0 R/ViewerPreferences 462 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /Font /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Content...
Read More -
Reference article for the wbadmin delete systemstatebackup command, which deletes the system state backups that you specify.
Read More
Related rules
- All Backups Deleted Via Wbadmin.EXE
- Backup Files Deleted
- Boot Configuration Tampering Via Bcdedit.EXE
- Cisco Modify Configuration
- Copy From VolumeShadowCopy Via Cmd.EXE