Process

unknown

wbadmin.exe

wbadmin.exe is the Windows Backup command-line tool, used to create and recover backups of volumes, files, and system state. Administrators use it for backup and restore. Attackers use it to delete those backups before ransomware encrypts, and to recover the Active Directory database out of a system-state backup.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • wbadmin start backup -backupTarget:{PATH_ABSOLUTE:folder} -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quietDump · Snapshoting of Active Directory NTDS.dit database
  • wbadmin start recovery -version:<VERSIONIDENTIFIER> -recoverytarget:{PATH_ABSOLUTE:folder} -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quietDump · Dumping of Active Directory NTDS.dit database

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

wbadmin.exe drives Windows Server Backup (and the backup engine on client editions). It can back up and restore volumes, individual files, and the system state (which on a domain controller includes the Active Directory database), and it manages the backup catalog that tracks them. It requires administrative rights and lives at C:\Windows\System32\wbadmin.exe.

Legitimately, wbadmin is run by administrators and scheduled backup jobs. The operation it performs, backing up, restoring, or deleting, is what gives an instance meaning.

Security notes

wbadmin.exe is a recovery-inhibition tool for ransomware (T1490). wbadmin delete catalog -quiet and wbadmin delete systemstatebackup destroy the backups a victim would use to restore, and they often appear next to shadow-copy deletion (vssadmin) and boot-recovery tampering (bcdedit) in the moments before encryption.

On a domain controller it is also a credential-access route (T1003.003). Because the system-state backup contains ntds.dit, an attacker can use wbadmin start recovery to restore the directory database from a backup and then read the domain password hashes out of it. A delete-backup command from a script host, or a system-state recovery with no planned restore, is what separates abuse from administration.

Anomaly signals5
  • Image path other than C:\Windows\System32\wbadmin.exehigh
  • delete catalog or delete systemstatebackup (destroying backups)high
  • start recovery of system state or ntds.dit outside a planned restorehigh
  • Parent is cmd.exe, powershell.exe, or an unfamiliar processhigh
  • Run alongside vssadmin, bcdedit, or wmic shadowcopy deletehigh

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof wbadmin.exe?
Edit this page on GitHub