This detection rule focuses on identifying the deletion of backups or system state backups through the usage of the `wbadmin.exe` command-line tool in Windows environments. This method is notably leveraged by various ransomware families as part of their attack strategies to remove backup capabilities, thereby increasing the chances of a successful attack by preventing recovery without paying the ransom. It is essential to note that this detection may primarily apply to server editions of Windows where the Windows Backup feature is enabled. The rule operates by monitoring specific command-line patterns that indicate a deletion action within the backup management process, particularly searching for instances of `delete` commands directed at backups with the `keepVersions:0` option specified, which effectively purges all retained backups. The use of `wbadmin.exe` is common in administrative tasks, but its invocation alongside deletion commands warrants scrutiny, particularly in environments prone to ransomware attacks.