SystemStateBackup Deleted Using Wbadmin.EXE
Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.
Sigma rule (View on GitHub)
1title: SystemStateBackup Deleted Using Wbadmin.EXE
2id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
3status: test
4description: |
5 Deletes the Windows systemstatebackup using wbadmin.exe.
6 This technique is used by numerous ransomware families.
7 This may only be successful on server platforms that have Windows Backup enabled.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
10author: frack113
11date: 2021/12/13
12modified: 2023/02/04
13tags:
14 - attack.impact
15 - attack.t1490
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\wbadmin.exe'
22 - OriginalFileName: 'WBADMIN.EXE'
23 selection_cli:
24 CommandLine|contains|all:
25 - 'delete '
26 - 'systemstatebackup '
27 - '-keepVersions:0'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- Cisco Modify Configuration
- Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- Boot Configuration Database (BCD) Manipulation - Registry Modification
- Use of bcdedit to Disrupt Boot Processes
- WMIC Shadow Copy Deletion