detection.wiki

Detection rules › Splunk

Windows High File Deletion Frequency

Author
Teoderick Contreras, Splunk, Steven Dick
Source
upstream

The following analytic identifies a high frequency of file deletions by monitoring Sysmon EventCodes 23 and 26 for specific file extensions. This detection leverages Sysmon logs to track deleted target filenames, process names, and process IDs. Such activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted. If confirmed malicious, this activity could lead to extensive data loss and operational disruption, as ransomware can render critical files inaccessible, demanding a ransom for their recovery.

MITRE ATT&CK coverage

TacticTechniques
ImpactT1485 Data Destruction

Event coverage

ProviderEvent IDTitle
Sysmon23FileDelete (File Delete archived)
Sysmon26FileDeleteDetected (File Delete logged)

Stages and Predicates

Stage 1: search

search NOT TargetFilename="*\\INetCache\\Content.Outlook\\*" EventCode IN ("23", "26") TargetFilename IN ("*.7z", "*.backup*", "*.bak", "*.bkf", "*.bmp", "*.chm", "*.cmd", "*.db", "*.doc", "*.docx", "*.dsk", "*.gif", "*.ini", "*.jpeg", "*.jpg", "*.js", "*.log", "*.png", "*.ppt", "*.pptx", "*.ps1", "*.rar", "*.vbs", "*.vhd", "*.wbcat", "*.win", "*.xls", "*.xlsx", "*.zip")

Stage 2: stats

stats BY action, dest, dvc, signature, signature_id, user, user_id, vendor_product

Stage 3: where

where count>=100

Stage 4: search

search

Stage 5: search

search

Stage 6: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1TargetFilenameeq"*\\INetCache\\Content.Outlook\\*"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodein
  • "23" corpus 6 (splunk 6)
  • "26" corpus 6 (splunk 6)
TargetFilenamein
  • "*.7z"
  • "*.backup*"
  • "*.bak"
  • "*.bkf"
  • "*.bmp"
  • "*.chm"
  • "*.cmd"
  • "*.db"
  • "*.doc"
  • "*.docx"
  • "*.dsk"
  • "*.gif"
  • "*.ini"
  • "*.jpeg"
  • "*.jpg"
  • "*.js"
  • "*.log"
  • "*.png"
  • "*.ppt"
  • "*.pptx"
  • "*.ps1"
  • "*.rar"
  • "*.vbs"
  • "*.vhd"
  • "*.wbcat"
  • "*.win"
  • "*.xls"
  • "*.xlsx"
  • "*.zip"
countge
  • 100 corpus 2 (splunk 2)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.