All Backups Deleted Via Wbadmin.EXE (639c9081-f482-47d3-a0bd-ddee3d4ecd76)
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| All Backups Deleted Via Wbadmin.EXE (639c9081-f482-47d3-a0bd-ddee3d4ecd76) | Sigma-Rules | Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) | Attack Pattern | 1 |