detection.wiki

ATT&CK coverage › Technique

Data Destruction T1485

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Events covered

13 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon5Process terminated
Sysmon11FileCreate
Sysmon13RegistryEvent (Value Set)
Sysmon22DNSEvent (DNS query)
Sysmon23FileDelete (File Delete archived)
Sysmon26FileDeleteDetected (File Delete logged)
Security-Auditing4656A handle to an object was requested.
Security-Auditing4658The handle to an object was closed.
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4688A new process has been created.
Security-Auditing4689A process has exited.
Defender-DeviceProcessEvents9001000Process activity (any)

Authoring guide

Patterns shared across the 18 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (21 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine8match 8accepteula, -s, -s gpsvc, -k GPSvcGroup, /w
EventID5in 3, eq 2"23", "26", 4688
OriginalFileName4eq 4sdelete.exe, CIPHER.EXE, fsutil.exe
TargetFilename4in 3, eq 1"*\\ProgramData\\Microsoft\\Windows Defender\\*", "*.exe", "*.dll", "*.sys", "*\\System32\\Boot\\*"
Process3ne 1, eq 1, ends_with 1svchost.exe, sdelete.exe
Image3ends_with 3\cipher.exe, \fsutil.exe, \sdelete.exe, \sdelete64.exe
count3ge 3100, 50
FileName1eq 1cipher.exe
CipherCount1gt 11
EventType1eq 1ProcessCreated
ObjectName1ends_with 1.AAA, .ZZZ
Name1ne 1False
file_count1gt 120
path_count1gt 11
11eq 11

Top indicator values (92 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDin"23"36
EventIDin"26"36
EventIDeq46882
CommandLinematch-s22
CommandLinematch-q22
CommandLinematch-r23
CommandLinematchaccepteula23
CommandLinematch-s gpsvc2
CommandLinematch-k GPSvcGroup2
OriginalFileNameeqsdelete.exe22
countge10022
FileNameeqcipher.exe1
CommandLinematch/w1
CipherCountgt11
CommandLinematchc:/1
Processnesdelete.exe1
Processeqsvchost.exe1
Processends_withsvchost.exe1
EventTypeeqProcessCreated1
OriginalFileNameeqCIPHER.EXE1

Common exclusions (30 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
CommandLinematchsdelete2
Processends_withsdelete.exe1
file_namein"*.exe"1
file_namein"*.scr"1
file_namein"*.wsf"1
file_namein"*.bat"1
file_namein"*.ppt"1
file_namein"*.dll"1
file_namein"*.docx"1
file_namein"*.jpg"1
file_namein"*.js"1
file_namein"*.doc"1
file_namein"*.gif"1
file_namein"*.vbs"1
file_namein"*.lnk"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 5 rules

Splunk 8 rules

Kusto Query Language 5 rules