SystemStateBackup Deleted Using Wbadmin.EXE (89f75308-5b1b-4390-b2d8-d6b2340efaf8)
Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
SystemStateBackup Deleted Using Wbadmin.EXE (89f75308-5b1b-4390-b2d8-d6b2340efaf8) | Sigma-Rules | Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) | Attack Pattern | 1 |