Suspicious Multiple File Rename Or Delete Occurred

Apr 21, 2023 · attack.impact attack.t1486 ·

Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).

Sigma rule (View on GitHub)

 1title: Suspicious Multiple File Rename Or Delete Occurred
 2id: 97919310-06a7-482c-9639-92b67ed63cf8
 3status: unsupported
 4description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).
 5references:
 6    - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html
 7author: Vasiliy Burov, oscd.community
 8date: 2020/10/16
 9modified: 2023/02/24
10tags:
11    - attack.impact
12    - attack.t1486
13logsource:
14    product: windows
15    service: security
16    definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access'
17detection:
18    selection:
19        EventID: 4663
20        ObjectType: 'File'
21        AccessList: '%%1537'
22        Keywords: '0x8020000000000000'
23    timeframe: 30s
24    condition: selection | count() by SubjectLogonId > 10
25falsepositives:
26    - Software uninstallation
27    - Files restore activities
28level: medium

References

Data visibility and security solution by ManageEngine DataSecurity Plus

Data visibility and security solution by ManageEngine DataSecurity Plus!

Read More

Suspicious Multiple File Rename Or Delete Occurred

Sigma rule (View on GitHub)

References

Data visibility and security solution by ManageEngine DataSecurity Plus

Related rules