Skip to main content
Splunk Lantern

Wbadmin delete backup files

Wbadmin.exe is a command line utility built into Windows to back up and restore operating systems, drive volumes, files, folders, and applications from a command-line interface (CLI). This search looks for flags related to backup file deletions passed to wbadmin.exe. This action is typically used in ransomware attacks to prevent file recovery.

Data required 

Endpoint data

Procedure

  1. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting data that records process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the Process field in the Endpoint data model.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=wbadmin.exe "Processes.process"="*delete*" ("Processes.process"="*catalog*" OR "Processes.process"="*systemstatebackup*")) BY "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=wbadmin.exe "Processes.process"="*delete*" ("Processes.process"="*catalog*" OR "Processes.process"="*systemstatebackup*")) BY "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"  Query the Endpoint.Processes data model object to search for wbadmin.exe flags seen when backup files are deleted. Sort first by process name, then process, parent process name, destination, and user.
| rename "Processes.*" AS "*"  Rename data model fields for better readability.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 
Convert these times into readable strings.

Next steps

You can tune your search results based on parent process names. False positives from this search might occur because administrators can boot configuration settings for legitimate reasons.

If you find evidence of a ransomware infection from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.