File Recovery From Backup Via Wbadmin.EXE

Rule Info

Name
File Recovery From Backup Via Wbadmin.EXE
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Description
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
Reference
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
Date
2024-05-10 00:00:00
Modified
None
Id
6fe4aa1e-0531-4510-8be2-782154b73b48
Tags
attack.impact attack.t1490 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=6fe4aa1e-0531-4510-8be2-782154b73b48

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4830 from @frack113 - Enhance Wbadmin based rules
2024-05-13
aaf51bf88
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022