File Recovery From Backup Via Wbadmin.EXE (6fe4aa1e-0531-4510-8be2-782154b73b48)
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) | Attack Pattern | File Recovery From Backup Via Wbadmin.EXE (6fe4aa1e-0531-4510-8be2-782154b73b48) | Sigma-Rules | 1 |