Detect Data Destruction in Google Chronicle
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Unlike simple deletion commands (del, rm) that only remove file pointers, data destruction involves overwriting file contents with random data, zeroes, or image files to prevent forensic recovery. Real-world examples include Shamoon (overwrites with image files), WhisperGate (corrupts first 1MB with 0xCC bytes), HermeticWiper (recursive folder wiping via FSCTL_MOVE_FILE), Industroyer (clears registry keys and overwrites ICS configuration files), and Olympic Destroyer (overwrites local and remote shares). Adversaries commonly pair file destruction with Volume Shadow Copy deletion and boot recovery disabling to maximize irrecoverability. In cloud environments, adversaries may delete storage objects, VM images, database instances, and backup vaults to damage an organization's operational continuity.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1485 Data Destruction
- Canonical reference
- https://attack.mitre.org/techniques/T1485/
YARA-L Detection Query
rule t1485_data_destruction {
meta:
author = "Detection Engineering"
description = "Detects T1485 Data Destruction including secure wipers, VSS destruction, boot config tampering, PowerShell overwrite, and mass deletion commands"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1485"
severity = "CRITICAL"
priority = "HIGH"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
(
// Known secure deletion tools
re.regex($e.target.process.file.full_path, `(?i)(sdelete|sdelete64|eraser|wipe)\.exe$`)
// cipher /w free space overwrite
or (
re.regex($e.target.process.file.full_path, `(?i)\\cipher\.exe$`)
and re.regex($e.target.process.command_line, `(?i)/w`)
)
// VSS and backup catalog destruction
or re.regex($e.target.process.command_line, `(?i)(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)`)
or (
re.regex($e.target.process.file.full_path, `(?i)\\(vssadmin|wbadmin)\.exe$`)
and re.regex($e.target.process.command_line, `(?i)delete`)
)
or (
re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`)
and re.regex($e.target.process.command_line, `(?i)shadowcopy`)
and re.regex($e.target.process.command_line, `(?i)delete`)
)
// Boot/recovery configuration destruction
or (
re.regex($e.target.process.file.full_path, `(?i)\\bcdedit\.exe$`)
and re.regex($e.target.process.command_line, `(?i)(/set|/deletevalue|/delete)`)
)
// Disk format
or (
re.regex($e.target.process.file.full_path, `(?i)\\format\.exe$`)
and re.regex($e.target.process.command_line, `[A-Za-z]:`)
)
// Unix/Linux wipers
or re.regex($e.target.process.command_line, `(dd if=/dev/zero|dd if=/dev/urandom|shred -|wipe -rf)`)
// PowerShell data destruction
or (
re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
and re.regex($e.target.process.command_line, `(?i)(Clear-Content|WriteAllBytes|\[IO\.File\]|\[System\.IO\.File\]|Remove-Item.{0,30}-Recurse.{0,30}-Force|Remove-Item.{0,30}-Force.{0,30}-Recurse)`)
)
// Mass cmd.exe deletion
or (
re.regex($e.target.process.file.full_path, `(?i)\\cmd\.exe$`)
and re.regex($e.target.process.command_line, `(?i)\bdel\b`)
and re.regex($e.target.process.command_line, `(?i)/s`)
and re.regex($e.target.process.command_line, `(?i)/f`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule for T1485 Data Destruction detection. Monitors PROCESS_LAUNCH UDM events for secure deletion tools, VSS/shadow copy and backup catalog destruction, boot recovery configuration tampering, disk format commands, Unix-style wipers (dd/shred), PowerShell file overwrite and mass removal, and cmd.exe bulk forced deletion. Maps directly to KQL/SPL logic.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise IT decommission workflows using sdelete64 or Eraser for DoD 5220.22-M compliant media sanitization
- Backup and DR software managing VSS snapshot quotas through vssadmin resize shadowstorage
- PowerShell-based deployment scripts that clean up installation directories using Remove-Item -Recurse -Force
Other platforms for T1485
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSS Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\vssadmin.exe, CommandLine='delete shadows /all /quiet'. Microsoft-Windows-VSS/Operational Event IDs 8193/8194 recording the deletion. Security Event ID 4688 (if command line auditing enabled) with the vssadmin command. Sysmon Event ID 1 may also show the VSS writer service responding.
- Test 2Boot Recovery Disabled via bcdedit
Expected signal: Two Sysmon Event ID 1 entries: first with Image=bcdedit.exe CommandLine='/set {default} recoveryenabled no', second with CommandLine='/set {default} bootstatuspolicy ignoreallfailures'. Security Event ID 4688 for both executions. No file system events are generated as bcdedit writes to the BCD store (boot configuration database).
- Test 3Secure Delete with SDelete (Sysinternals)
Expected signal: Sysmon Event ID 1: Process Create with Image=sdelete.exe (or sdelete64.exe). Sysmon Event ID 11: Multiple FileCreate/FileModified events on the target file representing overwrite passes. Sysmon Event ID 23: FileDelete event after overwriting. Security Event ID 4688 for the sdelete process creation if command line auditing is enabled.
- Test 4Cipher.exe Free Space Overwrite (Built-in LOLBin)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cipher.exe, CommandLine='/w:C:\Users\<user>\AppData\Local\Temp'. Multiple Sysmon Event ID 11 entries in the target directory as cipher.exe creates temporary overwrite files (EFSTMPWP). Security Event ID 4688 for process creation.
- Test 5PowerShell Mass File Overwrite and Delete (Wiper Simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'WriteAllBytes' and 'Remove-Item'. Sysmon Event ID 11: 10 FileCreate events (initial file creation) followed by 10 FileModified events (WriteAllBytes overwrite pass). Sysmon Event ID 23: 10 FileDelete events. The entire sequence completes within 2 minutes, triggering the write-then-delete hunting query at OverwriteDeleteCount > 10.
References (11)
- https://attack.mitre.org/techniques/T1485/
- https://www.symantec.com/connect/blogs/shamoon-attacks
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/
- https://www.sentinelone.com/labs/agrius-from-wiper-to-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network
Unlock Pro Content
Get the full detection package for T1485 including response playbook, investigation guide, and atomic red team tests.