Skip to content

Hide Navigation Hide TOC

SystemStateBackup Deleted Using Wbadmin.EXE (89f75308-5b1b-4390-b2d8-d6b2340efaf8)

Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.

Cluster A Galaxy A Cluster B Galaxy B Level
SystemStateBackup Deleted Using Wbadmin.EXE (89f75308-5b1b-4390-b2d8-d6b2340efaf8) Sigma-Rules Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 1