All Backups Deleted Via Wbadmin.EXE (639c9081-f482-47d3-a0bd-ddee3d4ecd76)
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) | Attack Pattern | All Backups Deleted Via Wbadmin.EXE (639c9081-f482-47d3-a0bd-ddee3d4ecd76) | Sigma-Rules | 1 |