title: Wbadmin Delete Systemstatebackup
id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
status: experimental
description: |
  Deletes the Windows systemstatebackup using wbadmin.exe.
  This technique is used by numerous ransomware families.
  This may only be successful on server platforms that have Windows Backup enabled.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
author: frack113
date: 2021/12/13
modified: 2022/02/28
logsource:
    category: process_creation
    product: windows
detection:
    wbadmin_exe: 
        - Image|endswith: \wbadmin.exe
        - CommandLine|contains: wbadmin
    wbadmin_cmd:
        CommandLine|contains|all:
            - 'delete '
            - 'systemstatebackup '
            - '-keepVersions:0'
    condition: all of wbadmin_*
falsepositives:
    - Unknown
level: high
tags:
    - attack.impact
    - attack.t1490