Suspicious Multiple File Rename Or Delete Occurred
Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).
Sigma rule (View on GitHub)
1title: Suspicious Multiple File Rename Or Delete Occurred
2id: 97919310-06a7-482c-9639-92b67ed63cf8
3status: unsupported
4description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).
5references:
6 - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html
7author: Vasiliy Burov, oscd.community
8date: 2020/10/16
9modified: 2023/02/24
10tags:
11 - attack.impact
12 - attack.t1486
13logsource:
14 product: windows
15 service: security
16 definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access'
17detection:
18 selection:
19 EventID: 4663
20 ObjectType: 'File'
21 AccessList: '%%1537'
22 Keywords: '0x8020000000000000'
23 timeframe: 30s
24 condition: selection | count() by SubjectLogonId > 10
25falsepositives:
26 - Software uninstallation
27 - Files restore activities
28level: medium
References
Related rules
- Vice Society Encrypted File Extension File Creation
- Multiple Modsecurity Blocks
- Boot Configuration Database (BCD) Manipulation - Registry Modification
- Use of bcdedit to Disrupt Boot Processes
- WMIC Shadow Copy Deletion