EXPLORE
Sign In
← Back to Explore
T1485

Data Destruction

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Ta...

ContainersESXiIaaSLinuxmacOSWindows
90
Detections
3
Sources
5
Threat Actors

BY SOURCE

36splunk_escu35elastic19sigma

PROCEDURES (33)

General Monitoring21 detections

Auto-extracted: 21 detections for general monitoring

Api6 detections

Auto-extracted: 6 detections for api

Event Log6 detections

Auto-extracted: 6 detections for event log

Azure5 detections

Auto-extracted: 5 detections for azure

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Email4 detections

Auto-extracted: 4 detections for email

Aws4 detections

Auto-extracted: 4 detections for aws

Cloud Monitoring4 detections

Auto-extracted: 4 detections for cloud monitoring

Unusual3 detections

Auto-extracted: 3 detections for unusual

Remote3 detections

Auto-extracted: 3 detections for remote

Registry2 detections

Auto-extracted: 2 detections for registry

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Service2 detections

Auto-extracted: 2 detections for service

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Service2 detections

Auto-extracted: 2 detections for service

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Azure1 detections

Auto-extracted: 1 detections for azure

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Api1 detections

Auto-extracted: 1 detections for api

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud1 detections

Auto-extracted: 1 detections for cloud

Service1 detections

Auto-extracted: 1 detections for service

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (5)

APT38LAPSUS$Lazarus GroupSandworm TeamStorm-0501

DETECTIONS (90)

AWS Bedrock Delete Knowledge Base
splunk_escu
AWS CloudWatch Log Group Deletion
elasticmedium
AWS CloudWatch Log Stream Deletion
elasticmedium
AWS EC2 EBS Snapshot Access Removed
elasticmedium
AWS EFS File System Deleted
elasticmedium
AWS EFS Fileshare Mount Modified or Deleted
sigmamedium
AWS EKS Cluster Created or Deleted
sigmalow
AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
elasticmedium
AWS RDS DB Instance or Cluster Deleted
elasticmedium
AWS RDS DB Instance or Cluster Deletion Protection Disabled
elasticmedium
AWS RDS Snapshot Deleted
elasticmedium
AWS S3 Bucket Expiration Lifecycle Configuration Added
elasticlow
AWS S3 Unauthenticated Bucket Access by Rare Source
elasticmedium
AWS SQS Queue Purge
elasticmedium
Azure Automation Runbook Deleted
elasticlow
Azure Compute Snapshot Deletion by Unusual User and Resource Group
elasticlow
Azure Compute Snapshot Deletions by User
elasticmedium
Azure Container Registry Created or Deleted
sigmalow
Azure Device or Configuration Modified or Deleted
sigmamedium
Azure Event Hub Deleted
elasticmedium
Azure Kubernetes Cluster Created or Deleted
sigmalow
Azure Kubernetes Network Policy Change
sigmamedium
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
sigmamedium
Azure Kubernetes Secret or Config Object Access
sigmamedium
Azure Kubernetes Sensitive Role Access
sigmamedium
Azure Kubernetes Service Account Modified or Deleted
sigmamedium
Azure Resource Group Deleted
elasticmedium
Azure Storage Account Deletion by Unusual User
elasticmedium
Azure Storage Account Deletions by User
elastichigh
Backup Deletion with Wbadmin
elasticlow
Common Ransomware Extensions
splunk_escu
Common Ransomware Notes
splunk_escu
DD File Overwrite
sigmalow
Deleted Data Overwritten Via Cipher.EXE
sigmamedium
Deprecated - M365 Security Compliance Unusual Volume of File Deletion
elasticmedium
Detect DNS Query to Decommissioned S3 Bucket
splunk_escu
Detect Web Access to Decommissioned S3 Bucket
splunk_escu
Excessive File Deletion In WinDefender Folder
splunk_escu
File Deletion via Shred
elasticmedium
Fsutil Suspicious Invocation
sigmahigh
GCP Storage Bucket Deletion
elasticmedium
GCP Virtual Private Cloud Network Deletion
elasticmedium
GitHub Enterprise Remove Organization
splunk_escu
GitHub Enterprise Repository Archived
splunk_escu
GitHub Enterprise Repository Deleted
splunk_escu
GitHub Organizations Repository Archived
splunk_escu
GitHub Organizations Repository Deleted
splunk_escu
GitHub Repository Deleted
elasticmedium
High Number of Closed Pull Requests by User
elasticmedium
High Number of Protected Branch Force Pushes by User
elasticmedium
Linux Account Manipulation Of SSH Config and Keys
splunk_escu
Linux Auditd Data Destruction Command
splunk_escu
Linux Auditd Dd File Overwrite
splunk_escu
Linux Auditd Shred Overwrite Command
splunk_escu
Linux Data Destruction Command
splunk_escu
Linux DD File Overwrite
splunk_escu
Linux Deleting Critical Directory Using RM Command
splunk_escu
Linux Deletion Of Cron Jobs
splunk_escu
Linux Deletion Of Init Daemon Script
splunk_escu
Linux Deletion Of Services
splunk_escu
Linux Deletion of SSL Certificate
splunk_escu
Linux High Frequency Of File Deletion In Boot Folder
splunk_escu
Linux High Frequency Of File Deletion In Etc Folder
splunk_escu
Linux Shred Overwrite Command
splunk_escu
Microsoft 365 - Unusual Volume of File Deletion
sigmamedium
MSSQL Destructive Query
sigmamedium
O365 Email Hard Delete Excessive Volume
splunk_escu
O365 Email Password and Payroll Compromise Behavior
splunk_escu
O365 Email Receive and Hard Delete Takeover Behavior
splunk_escu
O365 Email Send and Hard Delete Exfiltration Behavior
splunk_escu
O365 Email Send and Hard Delete Suspicious Behavior
splunk_escu
O365 Email Send Attachments Excessive Volume
splunk_escu
Overwriting the File with Dev Zero or Null
sigmalow
Potential AWS S3 Bucket Ransomware Note Uploaded
elasticmedium
Potential File Overwrite Via Sysinternals SDelete
sigmahigh
Potential Ransomware Behavior - Note Files by System
elasticmedium
Potential Ransomware Note File Dropped via SMB
elastichigh
Potential Secure Deletion with SDelete
sigmamedium
Potential Secure File Deletion via SDelete Utility
elasticlow
Potential System Tampering via File Modification
elastichigh
Renamed Sysinternals Sdelete Execution
sigmahigh
Sdelete Application Execution
splunk_escu
Several Failed Protected Branch Force Pushes by User
elasticmedium
SSL Certificate Deletion
elasticlow
Suspicious File Renamed via SMB
elastichigh
Third-party Backup Files Deleted via Unexpected Process
elasticmedium
Windows Data Destruction Recursive Exec Files Deletion
splunk_escu
Windows Disable Memory Crash Dump
splunk_escu
Windows File Without Extension In Critical Folder
splunk_escu
Windows High File Deletion Frequency
splunk_escu