File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
Sigma rule (View on GitHub)
1title: File Recovery From Backup Via Wbadmin.EXE
2id: 6fe4aa1e-0531-4510-8be2-782154b73b48
3related:
4 - id: 84972c80-251c-4c3a-9079-4f00aad93938
5 type: derived
6status: experimental
7description: |
8 Detects the recovery of files from backups via "wbadmin.exe".
9 Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
10references:
11 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
12 - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
13author: Nasreddine Bencherchali (Nextron Systems), frack113
14date: 2024/05/10
15tags:
16 - attack.impact
17 - attack.t1490
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\wbadmin.exe'
24 - OriginalFileName: 'WBADMIN.EXE'
25 selection_cli:
26 CommandLine|contains|all:
27 - ' recovery'
28 - 'recoveryTarget'
29 - 'itemtype:File'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: medium
References
-
Reference article for the wbadmin start recovery command, which runs a recovery operation based on the parameters that you specify.
Read More -
Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers. wbadmin start recovery -version: -recoverytarget:C:\temp -i...
Read More
Related rules
- All Backups Deleted Via Wbadmin.EXE
- Windows Backup Deleted Via Wbadmin.EXE
- Suspicious Volume Shadow Copy VSS_PS.dll Load
- WMI Shadow Copy Deletion
- Suspicious Volume Shadow Copy Vssapi.dll Load