This detection rule identifies instances when the Windows command-line tool 'wbadmin.exe' is used to recover files from backups. The use of 'wbadmin.exe' for file recovery poses a significant risk, particularly when attackers exploit it to restore sensitive files such as NTDS.DIT (the Active Directory database file) or Windows Registry Hives. Such recovered files can provide attackers access to sensitive credentials, allowing for unauthorized access and potential compromise of systems. The rule focuses on tracking the execution of 'wbadmin.exe' during recovery operations, especially commands that include specified keywords indicating a file recovery process. The detection mechanism utilizes process creation logs to identify relevant activity associated with the recovery command.