wbadmin.exe

  • File Path: C:\Windows\system32\wbadmin.exe
  • Description: Command Line Interface for Microsoft BLB Backup

Hashes

Type Hash
MD5 F2AA55885A2C014DA99F1355F3F71E4A
SHA1 F5671266FBF3FFBC32CAA2C1EFFA1768893D0173
SHA256 508E5F70C29502D7BA66A35959A327E3D658514496EE7B9155D95E7409EB4FB8
SHA384 112BB4954C3DBC497240B94A2288F5ECA2D62F67C9D9D721C57811772AB1761F5E68953D41817CAB04B63B12B7302B7E
SHA512 B60184BD95100DD7A36B708A72A896312BEA72F26A101C1D2666B83C5A6CD8CA5D9A21B81D218EFC1DA440A87C661C358CE60DAF8C602A404828DAD47B098F9A
SSDEEP 6144:uapKd/whK1tDvrapOPERuzXXpyuD8FEY9h0V+fwVoiYQIo:ZKHuanEFPQIo
IMP D72A8A096458529EDF54E67F5F212651
PESHA1 59A27B729B5F622587EF47961C7F0E0BE7AD04A4
PE256 E4DE975F55A935981BA434800780A35B4DEC6C0204D77560494D369F9BEA1326

Runtime Data

Usage (stdout):

wbadmin 1.0 - Backup command-line tool
(C) Copyright Microsoft Corporation. All rights reserved.

---- Commands Supported ----

ENABLE BACKUP             -- Creates or modifies a daily backup schedule.
DISABLE BACKUP            -- Disables the scheduled backups.
START BACKUP              -- Runs a one-time backup.
STOP JOB                  -- Stops the currently running backup or recovery 
                              operation.
GET VERSIONS              -- Lists details of backups that can be recovered 
                              from a specified location.
GET ITEMS                 -- Lists items contained in a backup.
GET STATUS                -- Reports the status of the currently running 
                              operation.
DELETE BACKUP             -- Deletes one or more backups.

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\wbadmin.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WBADMIN.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/508e5f70c29502d7ba66a35959a327e3d658514496ee7b9155d95e7409eb4fb8/detection

Possible Misuse

The following table contains possible examples of wbadmin.exe being misused. While wbadmin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_delete_systemstatebackup.yml title: Wbadmin Delete Systemstatebackup DRL 1.0
sigma proc_creation_win_delete_systemstatebackup.yml Deletes the Windows systemstatebackup using wbadmin.exe. DRL 1.0
sigma proc_creation_win_delete_systemstatebackup.yml - Image\|endswith: \wbadmin.exe DRL 1.0
sigma proc_creation_win_delete_systemstatebackup.yml - CommandLine\|contains: wbadmin DRL 1.0
sigma proc_creation_win_malware_wannacry.yml - 'wbadmin' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - wbadmin.exe DRL 1.0
sigma proc_creation_win_shadow_copies_deletion.yml - '\wbadmin.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows] MIT License. © 2018 Red Canary
atomic-red-team T1490.md * wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet MIT License. © 2018 Red Canary
atomic-red-team T1490.md - Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog MIT License. © 2018 Red Canary
atomic-red-team T1490.md - Atomic Test #7 - Windows - wbadmin Delete systemstatebackup MIT License. © 2018 Red Canary
atomic-red-team T1490.md ## Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog MIT License. © 2018 Red Canary
atomic-red-team T1490.md wbadmin delete catalog -quiet MIT License. © 2018 Red Canary
atomic-red-team T1490.md ## Atomic Test #7 - Windows - wbadmin Delete systemstatebackup MIT License. © 2018 Red Canary
atomic-red-team T1490.md Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. MIT License. © 2018 Red Canary
atomic-red-team T1490.md wbadmin delete systemstatebackup -keepVersions:0 MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


wbadmin

Enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.

To configure a regularly scheduled backup using this command, you must be a member of the Administrators group. To perform all other tasks with this command, you must be a member of the Backup Operators group or the Administrators group, or you must have been delegated the appropriate permissions.

You must run wbadmin from an elevated command prompt, by right-clicking Command Prompt, and then selecting Run as administrator.

Parameters

Parameter Description
wbadmin delete catalog Deletes the backup catalog on the local computer. Use this command only if the backup catalog on this computer is corrupted and you have no backups stored at another location that you can use to restore the catalog.
wbadmin delete systemstatebackup Deletes one or more system state backups.
wbadmin disable backup Disables your daily backups.
wbadmin enable backup Configures and enables a regularly scheduled backup.
wbadmin get disks Lists disks that are currently online.
wbadmin get items Lists the items included in a backup.
wbadmin get status Shows the status of the currently running backup or recovery operation.
wbadmin get versions Lists details of backups recoverable from the local computer or, if another location is specified, from another computer.
wbadmin restore catalog Recovers a backup catalog from a specified storage location in the case where the backup catalog on the local computer has been corrupted.
wbadmin start backup Runs a one-time backup. If used with no parameters, uses the settings from the daily backup schedule.
wbadmin start recovery Runs a recovery of the volumes, applications, files, or folders specified.
wbadmin start sysrecovery Runs a recovery of the full system (at least all the volumes that contain the operating system’s state). This command is only available if you are using the Windows Recovery Environment.
wbadmin start systemstatebackup Runs a system state backup.
wbadmin start systemstaterecovery Runs a system state recovery.
wbadmin stop job Stops the currently running backup or recovery operation.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.