T1485

Data Destruction

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Unlike simple deletion commands (del, rm) that only remove file pointers, data destruction involves overwriting file contents with random data, zeroes, or image files to prevent forensic recovery. Real-world examples include Shamoon (overwrites with image files), WhisperGate (corrupts first 1MB with 0xCC bytes), HermeticWiper (recursive folder wiping via FSCTL_MOVE_FILE), Industroyer (clears registry keys and overwrites ICS configuration files), and Olympic Destroyer (overwrites local and remote shares). Adversaries commonly pair file destruction with Volume Shadow Copy deletion and boot recovery disabling to maximize irrecoverability. In cloud environments, adversaries may delete storage objects, VM images, database instances, and backup vaults to damage an organization's operational continuity.

Microsoft Sentinel / Defender

kusto

let LookbackWindow = 24h;
let DestructionTools = dynamic(["sdelete.exe", "sdelete64.exe", "cipher.exe", "eraser.exe", "wipe.exe"]);
let VSSDestructionPatterns = dynamic(["delete shadows", "shadowcopy delete", "delete catalog", "resize shadowstorage"]);
let PowerShellDestructionPatterns = dynamic([
  "Clear-Content",
  "[IO.File]::WriteAllBytes",
  "[System.IO.File]::WriteAllBytes",
  "Remove-Item -Recurse -Force",
  "Remove-Item -Force -Recurse",
  "-Recurse -Force -ErrorAction SilentlyContinue"
]);
DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where (
    // Known secure deletion tools
    FileName in~ (DestructionTools)
    // cipher.exe /w overwrites free space to prevent recovery of previously deleted files
    or (FileName =~ "cipher.exe" and ProcessCommandLine has "/w")
    // VSS and backup catalog destruction — near-zero legitimate use
    or (FileName in~ ("vssadmin.exe", "wmic.exe", "wbadmin.exe") and ProcessCommandLine has_any (VSSDestructionPatterns))
    or (FileName =~ "wbadmin.exe" and ProcessCommandLine has "delete")
    // Boot/recovery configuration destruction
    or (FileName =~ "bcdedit.exe" and ProcessCommandLine has_any ("/set {default} recoveryenabled no", "/deletevalue", "/delete"))
    // Disk format command
    or (FileName =~ "format.exe" and ProcessCommandLine matches regex @"[A-Za-z]:")
    // Unix/Linux wipers — dd targeting /dev/zero or /dev/urandom as input
    or ProcessCommandLine has_any ("dd if=/dev/zero", "dd if=/dev/urandom", "shred -", "wipe -rf")
    // PowerShell file overwrite and mass deletion
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PowerShellDestructionPatterns))
    // Mass deletion via cmd.exe (/f /s /q flags combined)
    or (FileName =~ "cmd.exe" and ProcessCommandLine has "del" and ProcessCommandLine has "/s" and ProcessCommandLine has "/f")
)
| extend IsVSSDestruction = (
    ProcessCommandLine has_any (VSSDestructionPatterns)
    or (FileName in~ ("vssadmin.exe", "wbadmin.exe") and ProcessCommandLine has "delete")
    or (FileName =~ "wmic.exe" and ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete")
)
| extend IsSecureDelete = (
    FileName in~ (DestructionTools)
    or (FileName =~ "cipher.exe" and ProcessCommandLine has "/w")
)
| extend IsBootConfigDestruction = (
    FileName =~ "bcdedit.exe"
    and ProcessCommandLine has_any ("/set {default} recoveryenabled no", "/deletevalue", "/delete")
)
| extend IsUnixWiper = (
    ProcessCommandLine has_any ("dd if=/dev/zero", "dd if=/dev/urandom", "shred -", "wipe -rf")
)
| extend IsPowerShellDestruction = (
    FileName in~ ("powershell.exe", "pwsh.exe")
    and ProcessCommandLine has_any (PowerShellDestructionPatterns)
)
| extend IsMassDeletion = (
    (FileName =~ "cmd.exe" and ProcessCommandLine has "del" and ProcessCommandLine has "/s" and ProcessCommandLine has "/f")
    or (FileName =~ "format.exe" and ProcessCommandLine matches regex @"[A-Za-z]:")
)
| extend RiskScore = 
    toint(IsVSSDestruction) * 3
    + toint(IsSecureDelete) * 2
    + toint(IsBootConfigDestruction) * 3
    + toint(IsUnixWiper) * 2
    + toint(IsPowerShellDestruction) * 2
    + toint(IsMassDeletion) * 1
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    IsVSSDestruction, IsSecureDelete, IsBootConfigDestruction,
    IsUnixWiper, IsPowerShellDestruction, IsMassDeletion, RiskScore
| sort by RiskScore desc, Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Backup software (Veeam, Commvault, Windows Server Backup) that uses vssadmin to manage shadow copy storage size and delete oldest snapshots as part of configured retention policies
IT administrators running sdelete or cipher /w as part of approved data sanitization procedures before hardware decommission or secure disposal
System administrators using bcdedit to configure dual-boot environments, change default OS entries, or modify boot settings during authorized OS maintenance windows
Security testing tools and penetration testing engagements running data destruction simulations on designated test systems with change management approval
Automated disk imaging and OS provisioning workflows that use format.exe or diskpart as part of system reimaging pipelines on known build servers

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
| eval IsSecureDelete=if(
    match(Image, "(sdelete|sdelete64|eraser|wipe)\.exe$")
    OR (match(Image, "cipher\.exe$") AND match(CommandLine, "/w")),
    1, 0)
| eval IsVSSDestruction=if(
    match(CommandLine, "(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)")
    OR (match(Image, "(vssadmin|wbadmin)\.exe$") AND match(CommandLine, "delete"))
    OR (match(Image, "wmic\.exe$") AND match(CommandLine, "shadowcopy") AND match(CommandLine, "delete")),
    1, 0)
| eval IsBootDestruction=if(
    match(Image, "bcdedit\.exe$")
    AND match(CommandLine, "(/set|/deletevalue|/delete)"),
    1, 0)
| eval IsUnixWiper=if(
    match(CommandLine, "(dd if=/dev/zero|dd if=/dev/urandom|shred -|wipe -rf)"),
    1, 0)
| eval IsPowerShellDestruction=if(
    match(Image, "(powershell|pwsh)\.exe$")
    AND match(CommandLine, "(clear-content|writeallbytes|\[io\.file\]|remove-item.*-recurse.*-force|remove-item.*-force.*-recurse)"),
    1, 0)
| eval IsMassDeletion=if(
    (match(Image, "cmd\.exe$") AND match(CommandLine, "del") AND match(CommandLine, "/s") AND match(CommandLine, "/f"))
    OR match(Image, "format\.exe$"),
    1, 0)
| eval DestructionScore=IsSecureDelete + IsVSSDestruction + IsBootDestruction + IsUnixWiper + IsPowerShellDestruction + IsMassDeletion
| where DestructionScore > 0
| eval RiskLevel=case(
    IsVSSDestruction=1 AND IsBootDestruction=1, "CRITICAL - Ransomware/Wiper Prep Pattern",
    IsVSSDestruction=1 AND IsSecureDelete=1, "CRITICAL - Active Wiper With Recovery Destruction",
    IsVSSDestruction=1 OR IsBootDestruction=1, "HIGH - Backup/Recovery Destruction",
    IsSecureDelete=1 OR IsUnixWiper=1, "HIGH - Secure Wiper Execution",
    IsPowerShellDestruction=1 OR IsMassDeletion=1, "MEDIUM - Bulk File Destruction",
    true(), "MEDIUM - Suspicious Deletion Activity"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
    IsSecureDelete, IsVSSDestruction, IsBootDestruction,
    IsUnixWiper, IsPowerShellDestruction, IsMassDeletion,
    DestructionScore, RiskLevel
| sort - DestructionScore, - _time

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software (Veeam, Commvault, Windows Server Backup) that uses vssadmin to manage shadow copy storage size and delete oldest snapshots as part of configured retention policies
IT administrators running sdelete or cipher /w as part of approved data sanitization procedures before hardware decommission or secure disposal
System administrators using bcdedit to configure dual-boot environments, change default OS entries, or modify boot settings during authorized OS maintenance windows
Security testing tools and penetration testing engagements running data destruction simulations on designated test systems with change management approval
Automated disk imaging and OS provisioning workflows that use format.exe or diskpart as part of system reimaging pipelines on known build servers

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  "Process Name" AS image,
  "Command" AS command_line,
  "Parent Process Name" AS parent_image,
  CASE
    WHEN LOWER("Command") MATCHES '(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)'
      OR (LOWER("Process Name") MATCHES '(vssadmin|wbadmin)\.exe' AND LOWER("Command") MATCHES 'delete')
      OR (LOWER("Process Name") MATCHES 'wmic\.exe' AND LOWER("Command") MATCHES 'shadowcopy' AND LOWER("Command") MATCHES 'delete')
    THEN 1 ELSE 0
  END AS is_vss_destruction,
  CASE
    WHEN LOWER("Process Name") MATCHES '(sdelete|sdelete64|eraser|wipe)\.exe'
      OR (LOWER("Process Name") MATCHES 'cipher\.exe' AND LOWER("Command") MATCHES '/w')
    THEN 1 ELSE 0
  END AS is_secure_delete,
  CASE
    WHEN LOWER("Process Name") MATCHES 'bcdedit\.exe'
      AND LOWER("Command") MATCHES '(/set|/deletevalue|/delete)'
    THEN 1 ELSE 0
  END AS is_boot_destruction,
  CASE
    WHEN LOWER("Command") MATCHES '(dd if=/dev/zero|dd if=/dev/urandom|shred -|wipe -rf)'
    THEN 1 ELSE 0
  END AS is_unix_wiper,
  CASE
    WHEN LOWER("Process Name") MATCHES '(powershell|pwsh)\.exe'
      AND LOWER("Command") MATCHES '(clear-content|writeallbytes|\[io\.file\]|remove-item)'
    THEN 1 ELSE 0
  END AS is_ps_destruction,
  CASE
    WHEN (LOWER("Process Name") MATCHES 'cmd\.exe' AND LOWER("Command") MATCHES 'del' AND LOWER("Command") MATCHES '/s' AND LOWER("Command") MATCHES '/f')
      OR LOWER("Process Name") MATCHES 'format\.exe'
    THEN 1 ELSE 0
  END AS is_mass_deletion
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 119, 396)
  AND QIDNAME(qid) IN ('Process Create', 'Process Launched', 'Sysmon Process Create')
  AND LONG(devicetime) > LONG(NOW()) - 86400000
  AND (
    LOWER("Process Name") MATCHES '(sdelete|sdelete64|eraser|wipe)\.exe'
    OR (LOWER("Process Name") MATCHES 'cipher\.exe' AND LOWER("Command") MATCHES '/w')
    OR LOWER("Command") MATCHES '(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)'
    OR (LOWER("Process Name") MATCHES '(vssadmin|wbadmin)\.exe' AND LOWER("Command") MATCHES 'delete')
    OR (LOWER("Process Name") MATCHES 'wmic\.exe' AND LOWER("Command") MATCHES 'shadowcopy' AND LOWER("Command") MATCHES 'delete')
    OR (LOWER("Process Name") MATCHES 'bcdedit\.exe' AND LOWER("Command") MATCHES '(/set|/deletevalue|/delete)')
    OR LOWER("Command") MATCHES '(dd if=/dev/zero|dd if=/dev/urandom|shred -|wipe -rf)'
    OR (LOWER("Process Name") MATCHES '(powershell|pwsh)\.exe' AND LOWER("Command") MATCHES '(clear-content|writeallbytes|\[io\.file\]|remove-item)')
    OR (LOWER("Process Name") MATCHES 'cmd\.exe' AND LOWER("Command") MATCHES 'del' AND LOWER("Command") MATCHES '/s' AND LOWER("Command") MATCHES '/f')
    OR LOWER("Process Name") MATCHES 'format\.exe'
  )
ORDER BY devicetime DESC
LAST 24 HOURS

critical severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon (Log Source Type 119) Windows Security Event Log (Log Source Type 12) Microsoft Windows Defender ATP

Required Tables

events

False Positives

Enterprise disk wiping tools run by IT during device decommissioning (sdelete, Eraser)
Legitimate cipher /w operations for compliance with data sanitization policies (NIST 800-88)
Backup solution maintenance tasks that resize or delete VSS shadow storage to manage disk space

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/process"
| json field=_raw "EventID" as event_id nodrop
| json field=_raw "Image" as image nodrop
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "ParentImage" as parent_image nodrop
| json field=_raw "ParentCommandLine" as parent_command_line nodrop
| json field=_raw "User" as user nodrop
| json field=_raw "Computer" as host nodrop
| where event_id = "1"
| toLowerCase(image) as image
| toLowerCase(command_line) as command_line
| if(matches(image, "*sdelete*.exe") or matches(image, "*eraser*.exe") or matches(image, "*wipe*.exe") or (matches(image, "*cipher.exe") and matches(command_line, "*/w*")), 1, 0) as is_secure_delete
| if(
    matches(command_line, "*delete shadows*") or matches(command_line, "*shadowcopy delete*") or matches(command_line, "*delete catalog*") or matches(command_line, "*resize shadowstorage*")
    or (matches(image, "*vssadmin.exe") and matches(command_line, "*delete*"))
    or (matches(image, "*wbadmin.exe") and matches(command_line, "*delete*"))
    or (matches(image, "*wmic.exe") and matches(command_line, "*shadowcopy*") and matches(command_line, "*delete*")),
    1, 0) as is_vss_destruction
| if(matches(image, "*bcdedit.exe") and (matches(command_line, "*/set*") or matches(command_line, "*/deletevalue*") or matches(command_line, "*/delete*")), 1, 0) as is_boot_destruction
| if(matches(command_line, "*dd if=/dev/zero*") or matches(command_line, "*dd if=/dev/urandom*") or matches(command_line, "*shred -*") or matches(command_line, "*wipe -rf*"), 1, 0) as is_unix_wiper
| if(
    (matches(image, "*powershell.exe") or matches(image, "*pwsh.exe"))
    and (matches(command_line, "*clear-content*") or matches(command_line, "*writeallbytes*") or matches(command_line, "*[io.file]*") or (matches(command_line, "*remove-item*") and matches(command_line, "*-recurse*") and matches(command_line, "*-force*"))),
    1, 0) as is_ps_destruction
| if(
    (matches(image, "*cmd.exe") and matches(command_line, "*del*") and matches(command_line, "*/s*") and matches(command_line, "*/f*"))
    or matches(image, "*format.exe"),
    1, 0) as is_mass_deletion
| eval destruction_score = is_secure_delete + is_vss_destruction + is_boot_destruction + is_unix_wiper + is_ps_destruction + is_mass_deletion
| where destruction_score > 0
| if(is_vss_destruction = 1 and is_boot_destruction = 1, "CRITICAL - Ransomware/Wiper Prep",
    if(is_vss_destruction = 1 and is_secure_delete = 1, "CRITICAL - Active Wiper With Recovery Destruction",
    if(is_vss_destruction = 1 or is_boot_destruction = 1, "HIGH - Backup/Recovery Destruction",
    if(is_secure_delete = 1 or is_unix_wiper = 1, "HIGH - Secure Wiper Execution",
    if(is_ps_destruction = 1 or is_mass_deletion = 1, "MEDIUM - Bulk File Destruction",
    "MEDIUM - Suspicious Deletion Activity"))))) as risk_level
| fields _messageTime, host, user, image, command_line, parent_image, parent_command_line, is_secure_delete, is_vss_destruction, is_boot_destruction, is_unix_wiper, is_ps_destruction, is_mass_deletion, destruction_score, risk_level
| sort by destruction_score desc, _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Sysmon via Sumo Logic Installed Collector Endpoint Detection Sources

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=endpoint/process

False Positives

IT asset disposal workflows using sdelete or cipher /w for NIST 800-88 compliance
Shadow copy management by enterprise backup agents (Veeam, Commvault) resizing or pruning VSS snapshots
Developer or admin PowerShell scripts using Remove-Item -Recurse -Force for legitimate build artifact cleanup

Google Chronicle / SecOps

yaral

rule t1485_data_destruction {
  meta:
    author = "Detection Engineering"
    description = "Detects T1485 Data Destruction including secure wipers, VSS destruction, boot config tampering, PowerShell overwrite, and mass deletion commands"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1485"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname

    (
      // Known secure deletion tools
      re.regex($e.target.process.file.full_path, `(?i)(sdelete|sdelete64|eraser|wipe)\.exe$`)

      // cipher /w free space overwrite
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\cipher\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)/w`)
      )

      // VSS and backup catalog destruction
      or re.regex($e.target.process.command_line, `(?i)(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\(vssadmin|wbadmin)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)delete`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)shadowcopy`)
        and re.regex($e.target.process.command_line, `(?i)delete`)
      )

      // Boot/recovery configuration destruction
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\bcdedit\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(/set|/deletevalue|/delete)`)
      )

      // Disk format
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\format\.exe$`)
        and re.regex($e.target.process.command_line, `[A-Za-z]:`)
      )

      // Unix/Linux wipers
      or re.regex($e.target.process.command_line, `(dd if=/dev/zero|dd if=/dev/urandom|shred -|wipe -rf)`)

      // PowerShell data destruction
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(Clear-Content|WriteAllBytes|\[IO\.File\]|\[System\.IO\.File\]|Remove-Item.{0,30}-Recurse.{0,30}-Force|Remove-Item.{0,30}-Force.{0,30}-Recurse)`)
      )

      // Mass cmd.exe deletion
      or (
        re.regex($e.target.process.file.full_path, `(?i)\\cmd\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)\bdel\b`)
        and re.regex($e.target.process.command_line, `(?i)/s`)
        and re.regex($e.target.process.command_line, `(?i)/f`)
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle SIEM UDM Process Launch events Windows Event Forwarding to Chronicle Linux Auditd via Chronicle ingestion

Required Tables

UDM entity: PROCESS_LAUNCH

False Positives

Enterprise IT decommission workflows using sdelete64 or Eraser for DoD 5220.22-M compliant media sanitization
Backup and DR software managing VSS snapshot quotas through vssadmin resize shadowstorage
PowerShell-based deployment scripts that clean up installation directories using Remove-Item -Recurse -Force

CrowdStrike LogScale (CQL)

cql

// T1485 Data Destruction - CrowdStrike LogScale (Falcon Data Replicator)
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(sdelete|sdelete64|eraser|wipe)\.exe$/
  OR (ImageFileName = /(?i)\\cipher\.exe$/ AND CommandLine = /(?i)\/w/)
  OR CommandLine = /(?i)(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)/
  OR (ImageFileName = /(?i)\\(vssadmin|wbadmin)\.exe$/ AND CommandLine = /(?i)delete/)
  OR (ImageFileName = /(?i)\\wmic\.exe$/ AND CommandLine = /(?i)shadowcopy/ AND CommandLine = /(?i)delete/)
  OR (ImageFileName = /(?i)\\bcdedit\.exe$/ AND CommandLine = /(?i)(\/set|\/deletevalue|\/delete)/)
  OR (ImageFileName = /(?i)\\format\.exe$/ AND CommandLine = /[A-Za-z]:/)
  OR CommandLine = /(dd if=\/dev\/zero|dd if=\/dev\/urandom|shred -|wipe -rf)/
  OR (ImageFileName = /(?i)\\(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(Clear-Content|WriteAllBytes|\[IO\.File\]|\[System\.IO\.File\]|Remove-Item.{0,50}-Recurse.{0,50}-Force)/)
  OR (ImageFileName = /(?i)\\cmd\.exe$/ AND CommandLine = /(?i)\bdel\b/ AND CommandLine = /(?i)\/s/ AND CommandLine = /(?i)\/f/)
| eval(
    is_secure_delete = if(
      ImageFileName = /(?i)(sdelete|sdelete64|eraser|wipe)\.exe$/ OR
      (ImageFileName = /(?i)\\cipher\.exe$/ AND CommandLine = /(?i)\/w/),
      1, 0),
    is_vss_destruction = if(
      CommandLine = /(?i)(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)/ OR
      (ImageFileName = /(?i)\\(vssadmin|wbadmin)\.exe$/ AND CommandLine = /(?i)delete/) OR
      (ImageFileName = /(?i)\\wmic\.exe$/ AND CommandLine = /(?i)shadowcopy/ AND CommandLine = /(?i)delete/),
      1, 0),
    is_boot_destruction = if(
      ImageFileName = /(?i)\\bcdedit\.exe$/ AND CommandLine = /(?i)(\/set|\/deletevalue|\/delete)/,
      1, 0),
    is_unix_wiper = if(
      CommandLine = /(dd if=\/dev\/zero|dd if=\/dev\/urandom|shred -|wipe -rf)/,
      1, 0),
    is_ps_destruction = if(
      ImageFileName = /(?i)\\(powershell|pwsh)\.exe$/ AND
      CommandLine = /(?i)(Clear-Content|WriteAllBytes|\[IO\.File\]|Remove-Item.{0,50}-Recurse.{0,50}-Force)/,
      1, 0),
    is_mass_deletion = if(
      (ImageFileName = /(?i)\\cmd\.exe$/ AND CommandLine = /(?i)\bdel\b/ AND CommandLine = /(?i)\/s/ AND CommandLine = /(?i)\/f/) OR
      ImageFileName = /(?i)\\format\.exe$/,
      1, 0)
  )
| eval(destruction_score = is_secure_delete + is_vss_destruction + is_boot_destruction + is_unix_wiper + is_ps_destruction + is_mass_deletion)
| eval(risk_level = case(
    is_vss_destruction = 1 AND is_boot_destruction = 1, "CRITICAL - Ransomware/Wiper Prep",
    is_vss_destruction = 1 AND is_secure_delete = 1, "CRITICAL - Active Wiper With Recovery Destruction",
    is_vss_destruction = 1 OR is_boot_destruction = 1, "HIGH - Backup/Recovery Destruction",
    is_secure_delete = 1 OR is_unix_wiper = 1, "HIGH - Secure Wiper Execution",
    is_ps_destruction = 1 OR is_mass_deletion = 1, "MEDIUM - Bulk File Destruction",
    true(), "MEDIUM - Suspicious Deletion Activity"
  ))
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, is_secure_delete, is_vss_destruction, is_boot_destruction, is_unix_wiper, is_ps_destruction, is_mass_deletion, destruction_score, risk_level])
| sort(field=destruction_score, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Data Replicator (FDR) CrowdStrike Falcon Insight EDR LogScale Falcon Event Stream

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Falcon sensor deployment scripts using PowerShell Remove-Item -Recurse -Force for cleanup during sensor upgrades
IT operations using sdelete or wbadmin delete catalog as part of approved server decommission runbooks
Penetration testers or red team operators with authorized scopes executing wiper simulations on test endpoints

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1485 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Destruction

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (1)

Same Tactic: Impact

Popular Detections