Detect Data Destruction in Microsoft Sentinel
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Unlike simple deletion commands (del, rm) that only remove file pointers, data destruction involves overwriting file contents with random data, zeroes, or image files to prevent forensic recovery. Real-world examples include Shamoon (overwrites with image files), WhisperGate (corrupts first 1MB with 0xCC bytes), HermeticWiper (recursive folder wiping via FSCTL_MOVE_FILE), Industroyer (clears registry keys and overwrites ICS configuration files), and Olympic Destroyer (overwrites local and remote shares). Adversaries commonly pair file destruction with Volume Shadow Copy deletion and boot recovery disabling to maximize irrecoverability. In cloud environments, adversaries may delete storage objects, VM images, database instances, and backup vaults to damage an organization's operational continuity.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1485 Data Destruction
- Canonical reference
- https://attack.mitre.org/techniques/T1485/
KQL Detection Query
let LookbackWindow = 24h;
let DestructionTools = dynamic(["sdelete.exe", "sdelete64.exe", "cipher.exe", "eraser.exe", "wipe.exe"]);
let VSSDestructionPatterns = dynamic(["delete shadows", "shadowcopy delete", "delete catalog", "resize shadowstorage"]);
let PowerShellDestructionPatterns = dynamic([
"Clear-Content",
"[IO.File]::WriteAllBytes",
"[System.IO.File]::WriteAllBytes",
"Remove-Item -Recurse -Force",
"Remove-Item -Force -Recurse",
"-Recurse -Force -ErrorAction SilentlyContinue"
]);
DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where (
// Known secure deletion tools
FileName in~ (DestructionTools)
// cipher.exe /w overwrites free space to prevent recovery of previously deleted files
or (FileName =~ "cipher.exe" and ProcessCommandLine has "/w")
// VSS and backup catalog destruction — near-zero legitimate use
or (FileName in~ ("vssadmin.exe", "wmic.exe", "wbadmin.exe") and ProcessCommandLine has_any (VSSDestructionPatterns))
or (FileName =~ "wbadmin.exe" and ProcessCommandLine has "delete")
// Boot/recovery configuration destruction
or (FileName =~ "bcdedit.exe" and ProcessCommandLine has_any ("/set {default} recoveryenabled no", "/deletevalue", "/delete"))
// Disk format command
or (FileName =~ "format.exe" and ProcessCommandLine matches regex @"[A-Za-z]:")
// Unix/Linux wipers — dd targeting /dev/zero or /dev/urandom as input
or ProcessCommandLine has_any ("dd if=/dev/zero", "dd if=/dev/urandom", "shred -", "wipe -rf")
// PowerShell file overwrite and mass deletion
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PowerShellDestructionPatterns))
// Mass deletion via cmd.exe (/f /s /q flags combined)
or (FileName =~ "cmd.exe" and ProcessCommandLine has "del" and ProcessCommandLine has "/s" and ProcessCommandLine has "/f")
)
| extend IsVSSDestruction = (
ProcessCommandLine has_any (VSSDestructionPatterns)
or (FileName in~ ("vssadmin.exe", "wbadmin.exe") and ProcessCommandLine has "delete")
or (FileName =~ "wmic.exe" and ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete")
)
| extend IsSecureDelete = (
FileName in~ (DestructionTools)
or (FileName =~ "cipher.exe" and ProcessCommandLine has "/w")
)
| extend IsBootConfigDestruction = (
FileName =~ "bcdedit.exe"
and ProcessCommandLine has_any ("/set {default} recoveryenabled no", "/deletevalue", "/delete")
)
| extend IsUnixWiper = (
ProcessCommandLine has_any ("dd if=/dev/zero", "dd if=/dev/urandom", "shred -", "wipe -rf")
)
| extend IsPowerShellDestruction = (
FileName in~ ("powershell.exe", "pwsh.exe")
and ProcessCommandLine has_any (PowerShellDestructionPatterns)
)
| extend IsMassDeletion = (
(FileName =~ "cmd.exe" and ProcessCommandLine has "del" and ProcessCommandLine has "/s" and ProcessCommandLine has "/f")
or (FileName =~ "format.exe" and ProcessCommandLine matches regex @"[A-Za-z]:")
)
| extend RiskScore =
toint(IsVSSDestruction) * 3
+ toint(IsSecureDelete) * 2
+ toint(IsBootConfigDestruction) * 3
+ toint(IsUnixWiper) * 2
+ toint(IsPowerShellDestruction) * 2
+ toint(IsMassDeletion) * 1
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
IsVSSDestruction, IsSecureDelete, IsBootConfigDestruction,
IsUnixWiper, IsPowerShellDestruction, IsMassDeletion, RiskScore
| sort by RiskScore desc, Timestamp descDetects data destruction activity using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors for known secure deletion tools (sdelete, cipher /w, eraser), Volume Shadow Copy deletion via vssadmin/wmic/wbadmin, boot configuration destruction via bcdedit, disk formatting, Unix/Linux wipers (dd targeting /dev/zero or /dev/urandom, shred), PowerShell file overwrite patterns (WriteAllBytes, Clear-Content, Remove-Item -Recurse -Force), and mass deletion via cmd.exe. Each indicator category is scored independently with VSS destruction and bcdedit tampering weighted highest (3) as they have near-zero legitimate use outside of specific administrative contexts.
Data Sources
Required Tables
False Positives & Tuning
- Backup software (Veeam, Commvault, Windows Server Backup) that uses vssadmin to manage shadow copy storage size and delete oldest snapshots as part of configured retention policies
- IT administrators running sdelete or cipher /w as part of approved data sanitization procedures before hardware decommission or secure disposal
- System administrators using bcdedit to configure dual-boot environments, change default OS entries, or modify boot settings during authorized OS maintenance windows
- Security testing tools and penetration testing engagements running data destruction simulations on designated test systems with change management approval
- Automated disk imaging and OS provisioning workflows that use format.exe or diskpart as part of system reimaging pipelines on known build servers
Other platforms for T1485
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSS Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\vssadmin.exe, CommandLine='delete shadows /all /quiet'. Microsoft-Windows-VSS/Operational Event IDs 8193/8194 recording the deletion. Security Event ID 4688 (if command line auditing enabled) with the vssadmin command. Sysmon Event ID 1 may also show the VSS writer service responding.
- Test 2Boot Recovery Disabled via bcdedit
Expected signal: Two Sysmon Event ID 1 entries: first with Image=bcdedit.exe CommandLine='/set {default} recoveryenabled no', second with CommandLine='/set {default} bootstatuspolicy ignoreallfailures'. Security Event ID 4688 for both executions. No file system events are generated as bcdedit writes to the BCD store (boot configuration database).
- Test 3Secure Delete with SDelete (Sysinternals)
Expected signal: Sysmon Event ID 1: Process Create with Image=sdelete.exe (or sdelete64.exe). Sysmon Event ID 11: Multiple FileCreate/FileModified events on the target file representing overwrite passes. Sysmon Event ID 23: FileDelete event after overwriting. Security Event ID 4688 for the sdelete process creation if command line auditing is enabled.
- Test 4Cipher.exe Free Space Overwrite (Built-in LOLBin)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cipher.exe, CommandLine='/w:C:\Users\<user>\AppData\Local\Temp'. Multiple Sysmon Event ID 11 entries in the target directory as cipher.exe creates temporary overwrite files (EFSTMPWP). Security Event ID 4688 for process creation.
- Test 5PowerShell Mass File Overwrite and Delete (Wiper Simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'WriteAllBytes' and 'Remove-Item'. Sysmon Event ID 11: 10 FileCreate events (initial file creation) followed by 10 FileModified events (WriteAllBytes overwrite pass). Sysmon Event ID 23: 10 FileDelete events. The entire sequence completes within 2 minutes, triggering the write-then-delete hunting query at OverwriteDeleteCount > 10.
References (11)
- https://attack.mitre.org/techniques/T1485/
- https://www.symantec.com/connect/blogs/shamoon-attacks
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/
- https://www.sentinelone.com/labs/agrius-from-wiper-to-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network
Unlock Pro Content
Get the full detection package for T1485 including response playbook, investigation guide, and atomic red team tests.