File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
Sigma rule (View on GitHub)
1title: File Recovery From Backup Via Wbadmin.EXE
2id: 6fe4aa1e-0531-4510-8be2-782154b73b48
3related:
4 - id: 84972c80-251c-4c3a-9079-4f00aad93938
5 type: derived
6status: experimental
7description: |
8 Detects the recovery of files from backups via "wbadmin.exe".
9 Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
10references:
11 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
12 - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
13author: Nasreddine Bencherchali (Nextron Systems), frack113
14date: 2024-05-10
15tags:
16 - attack.impact
17 - attack.t1490
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\wbadmin.exe'
24 - OriginalFileName: 'WBADMIN.EXE'
25 selection_cli:
26 CommandLine|contains|all:
27 - ' recovery'
28 - 'recoveryTarget'
29 - 'itemtype:File'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: medium
References
-
Reference article for the wbadmin start recovery command, which runs a recovery operation based on the parameters that you specify.
Read More -
wbadmin.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- All Backups Deleted Via Wbadmin.EXE
- Backup Files Deleted
- Boot Configuration Tampering Via Bcdedit.EXE
- Cisco Modify Configuration
- Copy From VolumeShadowCopy Via Cmd.EXE