Data Destruction T1485
Tactic: Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
Events covered
16 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 3 | Network connection |
| Sysmon | Event ID 5 | Process terminated |
| Sysmon | Event ID 11 | FileCreate |
| Sysmon | Event ID 13 | RegistryEvent (Value Set) |
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
| Sysmon | Event ID 23 | FileDelete (File Delete archived) |
| Sysmon | Event ID 26 | FileDeleteDetected (File Delete logged) |
| Security-Auditing | Event ID 4656 | A handle to an object was requested. |
| Security-Auditing | Event ID 4658 | The handle to an object was closed. |
| Security-Auditing | Event ID 4663 | An attempt was made to access an object. |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Security-Auditing | Event ID 4689 | A process has exited. |
| Defender-DeviceProcessEvents | any | Process activity (any) |
| Linux-Auditd | Event ID 1309 | EXECVE |
| Sysmon-for-Linux | Event ID 1 | Process Create |
Authoring guide
Patterns shared across the 177 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (181 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (577 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (87 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 21 rules
- AWS EFS Fileshare Mount Modified or Deleted
- AWS EKS Cluster Created or Deleted
- Azure Container Registry Created or Deleted
- Azure Device or Configuration Modified or Deleted
- Azure Kubernetes Cluster Created or Deleted
- Azure Kubernetes Network Policy Change
- Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
- Azure Kubernetes Secret or Config Object Access
- Azure Kubernetes Sensitive Role Access
- Azure Kubernetes Service Account Modified or Deleted
- DD File Overwrite
- Deleted Data Overwritten Via Cipher.EXE
- Fsutil Suspicious Invocation
- macOS Data Destruction Tools
- Microsoft 365 - Unusual Volume of File Deletion
- MSSQL Destructive Query
- Overwriting the File with Dev Zero or Null
- Potential BlackByte Ransomware Activity
- Potential File Overwrite Via Sysinternals SDelete
- Potential Secure Deletion with SDelete
- Renamed Sysinternals Sdelete Execution
Elastic 35 rules
- AWS CloudWatch Log Group Deletion
- AWS CloudWatch Log Stream Deletion
- AWS EC2 EBS Snapshot Access Removed
- AWS EFS File System Deleted
- AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
- AWS RDS DB Instance or Cluster Deleted
- AWS RDS DB Instance or Cluster Deletion Protection Disabled
- AWS RDS Snapshot Deleted
- AWS S3 Bucket Expiration Lifecycle Configuration Added
- AWS S3 Unauthenticated Bucket Access by Rare Source
- AWS SQS Queue Purge
- Azure Automation Runbook Deleted
- Azure Compute Snapshot Deletion by Unusual User and Resource Group
- Azure Compute Snapshot Deletions by User
- Azure Event Hub Deleted
- Azure Resource Group Deleted
- Azure Storage Account Deletion by Unusual User
- Azure Storage Account Deletions by User
- Backup Deletion with Wbadmin
- Deprecated - M365 Security Compliance Unusual Volume of File Deletion
- File Deletion via Shred
- GCP Storage Bucket Deletion
- GCP Virtual Private Cloud Network Deletion
- GitHub Repository Deleted
- High Number of Closed Pull Requests by User
- High Number of Protected Branch Force Pushes by User
- Potential AWS S3 Bucket Ransomware Note Uploaded
- Potential Ransomware Behavior - Note Files by System
- Potential Ransomware Note File Dropped via SMB
- Potential Secure File Deletion via SDelete Utility
- Potential System Tampering via File Modification
- Several Failed Protected Branch Force Pushes by User
- SSL Certificate Deletion
- Suspicious File Renamed via SMB
- Third-party Backup Files Deleted via Unexpected Process
Splunk 40 rules
- ASL AWS Defense Evasion PutBucketLifecycle
- AWS Bedrock Delete Knowledge Base
- AWS Defense Evasion PutBucketLifecycle
- Cipher.exe Execution (Sysmon)
- Cipher.exe Execution (Windows Event Log)
- Common Ransomware Extensions
- Common Ransomware Notes
- Detect DNS Query to Decommissioned S3 Bucket
- Detect Web Access to Decommissioned S3 Bucket
- Excessive File Deletion In WinDefender Folder
- GitHub Enterprise Remove Organization
- GitHub Enterprise Repository Archived
- GitHub Enterprise Repository Deleted
- GitHub Organizations Repository Archived
- GitHub Organizations Repository Deleted
- Linux Account Manipulation Of SSH Config and Keys
- Linux Auditd Data Destruction Command
- Linux Auditd Dd File Overwrite
- Linux Auditd Shred Overwrite Command
- Linux Data Destruction Command
- Linux DD File Overwrite
- Linux Deleting Critical Directory Using RM Command
- Linux Deletion Of Cron Jobs
- Linux Deletion Of Init Daemon Script
- Linux Deletion Of Services
- Linux Deletion of SSL Certificate
- Linux High Frequency Of File Deletion In Boot Folder
- Linux High Frequency Of File Deletion In Etc Folder
- Linux Shred Overwrite Command
- O365 Email Hard Delete Excessive Volume
- O365 Email Password and Payroll Compromise Behavior
- O365 Email Receive and Hard Delete Takeover Behavior
- O365 Email Send and Hard Delete Exfiltration Behavior
- O365 Email Send and Hard Delete Suspicious Behavior
- O365 Email Send Attachments Excessive Volume
- Sdelete Application Execution
- Windows Data Destruction Recursive Exec Files Deletion
- Windows Disable Memory Crash Dump
- Windows File Without Extension In Critical Folder
- Windows High File Deletion Frequency
Kusto 33 rules
- Affected rows stateful anomaly on database
- AV detections related to Ukraine threats
- AWSCloudTrail - Creating keys with encrypt policy without MFA
- Box - Many items deleted by user
- BTP - Mass user deletion in a sub account
- BTP - Mass user deletion in SAP Cloud Identity Service
- CTERA Mass Deletions Detection Analytic
- Dataverse - Mass deletion of records
- Dataverse - Mass record updates
- Deletion of data on multiple drives using cipher exe
- Drop attempts stateful anomaly on database
- Employee account deleted
- F&O - Mass update or deletion of user records
- GCP Audit Logs - Detect Bulk VM Snapshot Deletion
- GitLab - Abnormal number of repositories deleted
- Mass Cloud resource deletions Time Series Anomaly
- Multiple Teams deleted by a single user
- NRT Sensitive Azure Key Vault operations
- OracleDBAudit - Multiple tables dropped in short time
- Potential re-named sdelete usage
- Potential re-named sdelete usage (ASIM Version)
- Power Apps - Multiple apps deleted
- Power Automate - Departing employee flow activity
- Power Automate - Unusual bulk deletion of flow resources
- Sdelete deployed via GPO and run recursively
- Sdelete deployed via GPO and run recursively (ASIM Version)
- SenservaPro AD Applications Not Using Client Credentials
- Sensitive Azure Key Vault operations
- Snowflake - Possible data destraction
- Threat Essentials - Mass Cloud resource deletions Time Series Anomaly
- TI map IP entity to LastPass data
- Unusual Volume of file deletion by users
- Unusual Volume of Password Updated or Removed
YARA-L 7 rules
- AWS KMS Key Disabled Or Scheduled For Deletion
- GCP Multiple KMS Keys Disabled Or Destroyed
- GCP Multiple Secrets Deleted
- GitHub Enterprise Deleted
- GitHub Organization Removed From Enterprise
- GitHub Repository Archived Or Deleted
- Google Workspace Multiple Files Deleted From Google Drive
Panther 41 rules
- AppOmni Alert Passthrough
- AWS RDS Automated Backup Deleted
- AWS RDS Instance or Cluster Deleted
- AWS RDS Snapshot Deleted
- AWS S3 Bucket Action Restrictions
- AWS S3 Bucket MFA Delete
- AWS S3 Bucket Object Lock Configured
- AWS S3 Bucket Public Write
- AWS S3 Bucket Versioning
- AWS S3 Security Control Disabling
- Azure Disk Deleted
- Azure Key Vault Deleted
- Azure Key Vault Key Permanently Purged
- Azure Key Vault Permanently Purged
- Azure Log Analytics Workspace Deleted
- Azure Network Security Configuration Modified or Deleted
- Azure Recovery Services Protection Container Deleted
- Azure Resource Group Deleted
- Azure Restore Point Collection Deleted
- Azure SQL Server Deleted
- Azure Storage Account Blob Versioning Disabled
- Azure Storage Account Deleted
- Azure Storage Blob Deletion
- Azure Storage Blob Soft Delete Disabled
- Azure Storage Container Soft Delete Disabled
- Azure Storage Immutability Policy Deleted
- Azure Virtual Machine Deleted
- Azure Virtual Network Deleted
- Azure VM Snapshot Deleted
- Databricks Destructive Activities
- Dropbox Many Deletes
- GCP GCS Bulk Object Deletion
- GSuite Drive Many Documents Deleted
- KMS CMK Disabled or Deleted
- Netskope Many Objects Deleted
- S3 Bucket Deleted
- S3 Bucket Encryption Deleted
- S3 Bucket Logging Disabled
- S3 Bucket Replication Deleted
- S3 Bucket Versioning Suspended
- S3 MFA Delete Disabled