Detect Data Destruction in Splunk
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Unlike simple deletion commands (del, rm) that only remove file pointers, data destruction involves overwriting file contents with random data, zeroes, or image files to prevent forensic recovery. Real-world examples include Shamoon (overwrites with image files), WhisperGate (corrupts first 1MB with 0xCC bytes), HermeticWiper (recursive folder wiping via FSCTL_MOVE_FILE), Industroyer (clears registry keys and overwrites ICS configuration files), and Olympic Destroyer (overwrites local and remote shares). Adversaries commonly pair file destruction with Volume Shadow Copy deletion and boot recovery disabling to maximize irrecoverability. In cloud environments, adversaries may delete storage objects, VM images, database instances, and backup vaults to damage an organization's operational continuity.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1485 Data Destruction
- Canonical reference
- https://attack.mitre.org/techniques/T1485/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
| eval IsSecureDelete=if(
match(Image, "(sdelete|sdelete64|eraser|wipe)\.exe$")
OR (match(Image, "cipher\.exe$") AND match(CommandLine, "/w")),
1, 0)
| eval IsVSSDestruction=if(
match(CommandLine, "(delete shadows|shadowcopy delete|delete catalog|resize shadowstorage)")
OR (match(Image, "(vssadmin|wbadmin)\.exe$") AND match(CommandLine, "delete"))
OR (match(Image, "wmic\.exe$") AND match(CommandLine, "shadowcopy") AND match(CommandLine, "delete")),
1, 0)
| eval IsBootDestruction=if(
match(Image, "bcdedit\.exe$")
AND match(CommandLine, "(/set|/deletevalue|/delete)"),
1, 0)
| eval IsUnixWiper=if(
match(CommandLine, "(dd if=/dev/zero|dd if=/dev/urandom|shred -|wipe -rf)"),
1, 0)
| eval IsPowerShellDestruction=if(
match(Image, "(powershell|pwsh)\.exe$")
AND match(CommandLine, "(clear-content|writeallbytes|\[io\.file\]|remove-item.*-recurse.*-force|remove-item.*-force.*-recurse)"),
1, 0)
| eval IsMassDeletion=if(
(match(Image, "cmd\.exe$") AND match(CommandLine, "del") AND match(CommandLine, "/s") AND match(CommandLine, "/f"))
OR match(Image, "format\.exe$"),
1, 0)
| eval DestructionScore=IsSecureDelete + IsVSSDestruction + IsBootDestruction + IsUnixWiper + IsPowerShellDestruction + IsMassDeletion
| where DestructionScore > 0
| eval RiskLevel=case(
IsVSSDestruction=1 AND IsBootDestruction=1, "CRITICAL - Ransomware/Wiper Prep Pattern",
IsVSSDestruction=1 AND IsSecureDelete=1, "CRITICAL - Active Wiper With Recovery Destruction",
IsVSSDestruction=1 OR IsBootDestruction=1, "HIGH - Backup/Recovery Destruction",
IsSecureDelete=1 OR IsUnixWiper=1, "HIGH - Secure Wiper Execution",
IsPowerShellDestruction=1 OR IsMassDeletion=1, "MEDIUM - Bulk File Destruction",
true(), "MEDIUM - Suspicious Deletion Activity"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
IsSecureDelete, IsVSSDestruction, IsBootDestruction,
IsUnixWiper, IsPowerShellDestruction, IsMassDeletion,
DestructionScore, RiskLevel
| sort - DestructionScore, - _timeDetects data destruction patterns using Sysmon Event ID 1 (Process Creation). Evaluates command lines against six destruction categories: secure delete tools (sdelete/cipher/eraser), VSS/backup destruction (vssadmin/wmic/wbadmin delete), boot configuration tampering (bcdedit), Unix wipers (dd /dev/zero or /dev/urandom, shred), PowerShell file overwrite (WriteAllBytes, Clear-Content, Remove-Item -Recurse -Force), and mass deletion (del /f/s, format). Assigns a composite DestructionScore and enriches with a human-readable RiskLevel. Combined VSS destruction and bcdedit tampering is labeled as ransomware/wiper preparation pattern for rapid triage prioritization.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Backup software (Veeam, Commvault, Windows Server Backup) that uses vssadmin to manage shadow copy storage size and delete oldest snapshots as part of configured retention policies
- IT administrators running sdelete or cipher /w as part of approved data sanitization procedures before hardware decommission or secure disposal
- System administrators using bcdedit to configure dual-boot environments, change default OS entries, or modify boot settings during authorized OS maintenance windows
- Security testing tools and penetration testing engagements running data destruction simulations on designated test systems with change management approval
- Automated disk imaging and OS provisioning workflows that use format.exe or diskpart as part of system reimaging pipelines on known build servers
Other platforms for T1485
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSS Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\vssadmin.exe, CommandLine='delete shadows /all /quiet'. Microsoft-Windows-VSS/Operational Event IDs 8193/8194 recording the deletion. Security Event ID 4688 (if command line auditing enabled) with the vssadmin command. Sysmon Event ID 1 may also show the VSS writer service responding.
- Test 2Boot Recovery Disabled via bcdedit
Expected signal: Two Sysmon Event ID 1 entries: first with Image=bcdedit.exe CommandLine='/set {default} recoveryenabled no', second with CommandLine='/set {default} bootstatuspolicy ignoreallfailures'. Security Event ID 4688 for both executions. No file system events are generated as bcdedit writes to the BCD store (boot configuration database).
- Test 3Secure Delete with SDelete (Sysinternals)
Expected signal: Sysmon Event ID 1: Process Create with Image=sdelete.exe (or sdelete64.exe). Sysmon Event ID 11: Multiple FileCreate/FileModified events on the target file representing overwrite passes. Sysmon Event ID 23: FileDelete event after overwriting. Security Event ID 4688 for the sdelete process creation if command line auditing is enabled.
- Test 4Cipher.exe Free Space Overwrite (Built-in LOLBin)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cipher.exe, CommandLine='/w:C:\Users\<user>\AppData\Local\Temp'. Multiple Sysmon Event ID 11 entries in the target directory as cipher.exe creates temporary overwrite files (EFSTMPWP). Security Event ID 4688 for process creation.
- Test 5PowerShell Mass File Overwrite and Delete (Wiper Simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'WriteAllBytes' and 'Remove-Item'. Sysmon Event ID 11: 10 FileCreate events (initial file creation) followed by 10 FileModified events (WriteAllBytes overwrite pass). Sysmon Event ID 23: 10 FileDelete events. The entire sequence completes within 2 minutes, triggering the write-then-delete hunting query at OverwriteDeleteCount > 10.
References (11)
- https://attack.mitre.org/techniques/T1485/
- https://www.symantec.com/connect/blogs/shamoon-attacks
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/
- https://www.sentinelone.com/labs/agrius-from-wiper-to-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network
Unlock Pro Content
Get the full detection package for T1485 including response playbook, investigation guide, and atomic red team tests.