Detect Data Destruction in IBM QRadar
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Unlike simple deletion commands (del, rm) that only remove file pointers, data destruction involves overwriting file contents with random data, zeroes, or image files to prevent forensic recovery. Real-world examples include Shamoon (overwrites with image files), WhisperGate (corrupts first 1MB with 0xCC bytes), HermeticWiper (recursive folder wiping via FSCTL_MOVE_FILE), Industroyer (clears registry keys and overwrites ICS configuration files), and Olympic Destroyer (overwrites local and remote shares). Adversaries commonly pair file destruction with Volume Shadow Copy deletion and boot recovery disabling to maximize irrecoverability. In cloud environments, adversaries may delete storage objects, VM images, database instances, and backup vaults to damage an organization's operational continuity.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1485 Data Destruction
- Canonical reference
- https://attack.mitre.org/techniques/T1485/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"sourceip",
"username",
"Process Name" AS image,
"Command" AS command_line,
"Parent Process Name" AS parent_image,
CASE
WHEN LOWER("Command") MATCHES '(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)'
OR (LOWER("Process Name") MATCHES '(vssadmin|wbadmin)\.exe' AND LOWER("Command") MATCHES 'delete')
OR (LOWER("Process Name") MATCHES 'wmic\.exe' AND LOWER("Command") MATCHES 'shadowcopy' AND LOWER("Command") MATCHES 'delete')
THEN 1 ELSE 0
END AS is_vss_destruction,
CASE
WHEN LOWER("Process Name") MATCHES '(sdelete|sdelete64|eraser|wipe)\.exe'
OR (LOWER("Process Name") MATCHES 'cipher\.exe' AND LOWER("Command") MATCHES '/w')
THEN 1 ELSE 0
END AS is_secure_delete,
CASE
WHEN LOWER("Process Name") MATCHES 'bcdedit\.exe'
AND LOWER("Command") MATCHES '(/set|/deletevalue|/delete)'
THEN 1 ELSE 0
END AS is_boot_destruction,
CASE
WHEN LOWER("Command") MATCHES '(dd if=/dev/zero|dd if=/dev/urandom|shred -|wipe -rf)'
THEN 1 ELSE 0
END AS is_unix_wiper,
CASE
WHEN LOWER("Process Name") MATCHES '(powershell|pwsh)\.exe'
AND LOWER("Command") MATCHES '(clear-content|writeallbytes|\[io\.file\]|remove-item)'
THEN 1 ELSE 0
END AS is_ps_destruction,
CASE
WHEN (LOWER("Process Name") MATCHES 'cmd\.exe' AND LOWER("Command") MATCHES 'del' AND LOWER("Command") MATCHES '/s' AND LOWER("Command") MATCHES '/f')
OR LOWER("Process Name") MATCHES 'format\.exe'
THEN 1 ELSE 0
END AS is_mass_deletion
FROM events
WHERE
LOGSOURCETYPEID IN (12, 119, 396)
AND QIDNAME(qid) IN ('Process Create', 'Process Launched', 'Sysmon Process Create')
AND LONG(devicetime) > LONG(NOW()) - 86400000
AND (
LOWER("Process Name") MATCHES '(sdelete|sdelete64|eraser|wipe)\.exe'
OR (LOWER("Process Name") MATCHES 'cipher\.exe' AND LOWER("Command") MATCHES '/w')
OR LOWER("Command") MATCHES '(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)'
OR (LOWER("Process Name") MATCHES '(vssadmin|wbadmin)\.exe' AND LOWER("Command") MATCHES 'delete')
OR (LOWER("Process Name") MATCHES 'wmic\.exe' AND LOWER("Command") MATCHES 'shadowcopy' AND LOWER("Command") MATCHES 'delete')
OR (LOWER("Process Name") MATCHES 'bcdedit\.exe' AND LOWER("Command") MATCHES '(/set|/deletevalue|/delete)')
OR LOWER("Command") MATCHES '(dd if=/dev/zero|dd if=/dev/urandom|shred -|wipe -rf)'
OR (LOWER("Process Name") MATCHES '(powershell|pwsh)\.exe' AND LOWER("Command") MATCHES '(clear-content|writeallbytes|\[io\.file\]|remove-item)')
OR (LOWER("Process Name") MATCHES 'cmd\.exe' AND LOWER("Command") MATCHES 'del' AND LOWER("Command") MATCHES '/s' AND LOWER("Command") MATCHES '/f')
OR LOWER("Process Name") MATCHES 'format\.exe'
)
ORDER BY devicetime DESC
LAST 24 HOURSAQL detection for T1485 Data Destruction across Windows endpoints and Linux hosts ingested into QRadar. Identifies secure deletion tools, VSS/shadow copy destruction, boot configuration tampering, Unix-style wiping commands, PowerShell bulk destruction, and mass deletion patterns. Targets process creation events from Sysmon, Windows Security, and endpoint log sources.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise disk wiping tools run by IT during device decommissioning (sdelete, Eraser)
- Legitimate cipher /w operations for compliance with data sanitization policies (NIST 800-88)
- Backup solution maintenance tasks that resize or delete VSS shadow storage to manage disk space
Other platforms for T1485
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSS Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\vssadmin.exe, CommandLine='delete shadows /all /quiet'. Microsoft-Windows-VSS/Operational Event IDs 8193/8194 recording the deletion. Security Event ID 4688 (if command line auditing enabled) with the vssadmin command. Sysmon Event ID 1 may also show the VSS writer service responding.
- Test 2Boot Recovery Disabled via bcdedit
Expected signal: Two Sysmon Event ID 1 entries: first with Image=bcdedit.exe CommandLine='/set {default} recoveryenabled no', second with CommandLine='/set {default} bootstatuspolicy ignoreallfailures'. Security Event ID 4688 for both executions. No file system events are generated as bcdedit writes to the BCD store (boot configuration database).
- Test 3Secure Delete with SDelete (Sysinternals)
Expected signal: Sysmon Event ID 1: Process Create with Image=sdelete.exe (or sdelete64.exe). Sysmon Event ID 11: Multiple FileCreate/FileModified events on the target file representing overwrite passes. Sysmon Event ID 23: FileDelete event after overwriting. Security Event ID 4688 for the sdelete process creation if command line auditing is enabled.
- Test 4Cipher.exe Free Space Overwrite (Built-in LOLBin)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cipher.exe, CommandLine='/w:C:\Users\<user>\AppData\Local\Temp'. Multiple Sysmon Event ID 11 entries in the target directory as cipher.exe creates temporary overwrite files (EFSTMPWP). Security Event ID 4688 for process creation.
- Test 5PowerShell Mass File Overwrite and Delete (Wiper Simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'WriteAllBytes' and 'Remove-Item'. Sysmon Event ID 11: 10 FileCreate events (initial file creation) followed by 10 FileModified events (WriteAllBytes overwrite pass). Sysmon Event ID 23: 10 FileDelete events. The entire sequence completes within 2 minutes, triggering the write-then-delete hunting query at OverwriteDeleteCount > 10.
References (11)
- https://attack.mitre.org/techniques/T1485/
- https://www.symantec.com/connect/blogs/shamoon-attacks
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/
- https://www.sentinelone.com/labs/agrius-from-wiper-to-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network
Unlock Pro Content
Get the full detection package for T1485 including response playbook, investigation guide, and atomic red team tests.