Backup Files Deleted
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
Sigma rule (View on GitHub)
1title: Backup Files Deleted
2id: 06125661-3814-4e03-bfa2-1e4411c60ac3
3status: test
4description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files
7author: frack113
8date: 2022-01-02
9modified: 2023-02-15
10tags:
11 - attack.impact
12 - attack.t1490
13logsource:
14 product: windows
15 category: file_delete
16detection:
17 selection:
18 Image|endswith:
19 - '\cmd.exe'
20 - '\powershell.exe'
21 - '\pwsh.exe'
22 - '\wt.exe'
23 - '\rundll32.exe'
24 - '\regsvr32.exe'
25 TargetFilename|endswith:
26 - '.VHD'
27 - '.bac'
28 - '.bak'
29 - '.wbcat'
30 - '.bkf'
31 - '.set'
32 - '.win'
33 - '.dsk'
34 condition: selection
35falsepositives:
36 - Legitime usage
37level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- All Backups Deleted Via Wbadmin.EXE
- Boot Configuration Tampering Via Bcdedit.EXE
- Cisco Modify Configuration
- Copy From VolumeShadowCopy Via Cmd.EXE
- Delete Volume Shadow Copies Via WMI With PowerShell