Techniques
Sample rules
Windows Backup Deleted Via Wbadmin.EXE
- source: sigma
- technicques:
- t1490
Description
Detects the deletion of backups or system state backups via “wbadmin.exe”. This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_keep_versions:
CommandLine|contains: keepVersions:0
selection_cli:
CommandLine|contains|all:
- 'delete '
- backup
selection_img:
- Image|endswith: \wbadmin.exe
- OriginalFileName: WBADMIN.EXE