T1490 - WBAdmin (#1375)

* Added wbadmin delete systemstatebackup * Update T1490.yaml Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com>
2021-01-23 17:53:20 -07:00
parent 57ba7350b8
commit 373176bcba
1 changed files with 12 additions and 3 deletions
@@ -37,7 +37,7 @@ atomic_tests:
      wmic.exe shadowcopy delete
    name: command_prompt
    elevation_required: true
- name: Windows - Delete Windows Backup Catalog
+- name: Windows - wbadmin Delete Windows Backup Catalog
  auto_generated_guid: 263ba6cb-ea2b-41c9-9d4e-b652dadd002c
  description: |
    Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution,
@@ -46,7 +46,7 @@ atomic_tests:
  - windows
  executor:
    command: |
-      wbadmin.exe delete catalog -quiet
+      wbadmin delete catalog -quiet
    name: command_prompt
    elevation_required: true
 - name: Windows - Disable Windows Recovery Console Repair
@@ -91,4 +91,13 @@ atomic_tests:
      del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
    name: command_prompt
    elevation_required: true
-
+- name: Windows - wbadmin Delete systemstatebackup
+  description: |
+    Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      wbadmin delete systemstatebackup -keepVersions:0
+    name: command_prompt
+    elevation_required: true