This rule is designed to detect the deletion of all backups or system state backups on Windows operating systems using the 'wbadmin.exe' utility. It focuses specifically on detecting attempts made by ransomware and malicious actors to erase backups, which is a common tactic to prevent victims from restoring their data. The rule analyzes process creation logs, looking for specific command line arguments associated with the use of 'wbadmin.exe'. It identifies commands that contain 'delete' and 'backup' along with 'keepVersions:0', which indicates an intention to delete all backups without retaining any previous copies. The detection is applied only on servers with Windows Backup enabled, making it relevant for environments where this service is utilized. The high severity level reflects the significant impact such actions can have on data recovery and business continuity, especially in the wake of a ransomware attack. Furthermore, known ransomware families such as LockBit have been linked to this behavior, increasing the importance of deploying this detection rule in relevant environments.