Techniques
Sample rules
Windows WBAdmin File Recovery From Backup
- source: splunk
- technicques:
- T1490
- T1565.001
Description
The following analytic identifies the execution of wbadmin.exe with arguments indicative of restoring files from an existing backup. WBAdmin is a legitimate Windows Backup utility used for creating, managing, and restoring backups. However, adversaries may abuse it to restore specific files (e.g., sensitive credentials, configuration files, or malware stagers) from prior backups to regain access or re-establish persistence after cleanup or encryption events. Monitoring this behavior is important because restoring individual files from a system backup outside of approved recovery workflows may indicate an attacker attempting to retrieve deleted or encrypted data, recover previously dropped payloads, or access prior system states as part of post-compromise activity. If confirmed malicious, this action could enable attackers to regain operational footholds, extract sensitive data, or restore tampered components, undermining remediation and containment efforts.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_wbadmin`
Processes.process = "*start*"
Processes.process = "*recovery*"
Processes.process = "*itemtype:file*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id
Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wbadmin_file_recovery_from_backup_filter`