Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-CloudBackup-SnapshotPurge.

Upgrade to Pro
THREAT-CloudBackup-SnapshotPurge IBM QRadar · QRadar

Detect Cloud Backup Vault and Snapshot Deletion Prior to Ransomware Detonation in IBM QRadar

As organizations move backup targets from on-premises VSS/wbadmin to cloud-native services (AWS Backup, EBS/RDS snapshots, Azure Recovery Services vaults, Azure managed-disk snapshots), ransomware affiliates have adapted their recovery-inhibition step to match: rather than running vssadmin on an endpoint, the attacker who has obtained cloud administrative credentials calls the backup/snapshot service's own deletion APIs directly. Observed patterns include bulk deletion of AWS Backup recovery points and backup vaults (DeleteRecoveryPoint, DeleteBackupVault, DeleteBackupPlan, DeleteBackupSelection), direct deletion of EC2/RDS snapshots (DeleteSnapshot, DeleteDBSnapshot, DeleteDBClusterSnapshot), and — on Azure — first disabling the Recovery Services vault's soft-delete protection before deleting protected items or the vault itself (soft-delete exists specifically to survive this attack, so its removal is itself a strong signal), plus deletion of standalone managed-disk snapshots. This is functionally identical in intent to T1490's on-host VSS/BCD deletion but lives entirely in cloud control-plane audit logs (AWS CloudTrail, Azure Activity Log) rather than endpoint telemetry, and the key discriminator from legitimate lifecycle-policy cleanup is who/what made the call: automated retention-policy expiration is initiated by the backup service itself (e.g. CloudTrail invokedBy backup.amazonaws.com), while an interactive IAM user or role deleting many recovery points/vaults in a short window is anomalous and, combined with a soft-delete-disable step on Azure, should be treated as an active pre-encryption indicator.

MITRE ATT&CK

Tactic
Impact

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  "Event Name" AS EventName,
  "Event Source" AS EventSource,
  "User Identity ARN" AS CallerIdentity,
  "Recipient Account Id" AS AccountOrSub,
  CASE
    WHEN "Event Name" IN ('DeleteRecoveryPoint','DeleteBackupVault','DeleteBackupPlan','DeleteBackupSelection','DeleteSnapshot','DeleteDBSnapshot','DeleteDBClusterSnapshot') THEN 'AWS_BackupDeletion'
    WHEN "Event Name" ILIKE '%RECOVERYSERVICES%BACKUPCONFIG%' THEN 'Azure_SoftDeleteDisable'
    WHEN "Event Name" ILIKE '%RECOVERYSERVICES%PROTECTEDITEMS%DELETE%' OR "Event Name" ILIKE '%RECOVERYSERVICES/VAULTS/DELETE%' THEN 'Azure_VaultOrItemDeletion'
    WHEN "Event Name" ILIKE '%COMPUTE/SNAPSHOTS/DELETE%' THEN 'Azure_SnapshotDeletion'
    ELSE 'Other'
  END AS Indicator
FROM events
WHERE
  (
    LOGSOURCETYPENAME(logsourceid) ILIKE '%CloudTrail%'
    AND "Event Name" IN ('DeleteRecoveryPoint','DeleteBackupVault','DeleteBackupPlan','DeleteBackupSelection','DeleteSnapshot','DeleteDBSnapshot','DeleteDBClusterSnapshot')
    AND UTF8(payload) NOT ILIKE '%backup.amazonaws.com%'
  )
  OR
  (
    LOGSOURCETYPENAME(logsourceid) ILIKE '%Azure%'
    AND (
      "Event Name" ILIKE '%RECOVERYSERVICES%BACKUPCONFIG%'
      OR "Event Name" ILIKE '%RECOVERYSERVICES%PROTECTEDITEMS%DELETE%'
      OR "Event Name" ILIKE '%RECOVERYSERVICES/VAULTS/DELETE%'
      OR "Event Name" ILIKE '%COMPUTE/SNAPSHOTS/DELETE%'
    )
    AND UTF8(payload) ILIKE '%Succeeded%'
  )
ORDER BY starttime DESC
LAST 24 HOURS
critical severity high confidence

QRadar AQL query spanning AWS CloudTrail and Azure Activity Log sources for backup/recovery infrastructure deletion. Excludes AWS Backup service-initiated lifecycle expiration by filtering out payloads referencing backup.amazonaws.com. Flags Azure soft-delete disablement, protected-item/vault deletion, and managed-disk snapshot deletion where the operation succeeded. Recommend a QRadar rule requiring 3+ matches from the same caller identity within 30 minutes for the burst pattern.

Data Sources

AWS CloudTrail (via QRadar Cloud Visibility app or Universal DSM)Azure Activity Log (via QRadar Azure DSM or Universal DSM)

Required Tables

events

False Positives & Tuning

  • Legitimate backup lifecycle/retention expiration
  • Planned environment decommissioning with bulk deletion
  • Cost-optimization snapshot pruning by authorized engineers
  • Migration projects temporarily disabling Azure Backup soft-delete
  • Backup/DR testing in non-production accounts or subscriptions

Other platforms for THREAT-CloudBackup-SnapshotPurge


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate AWS Backup Recovery Point Deletion Burst

    Expected signal: AWS CloudTrail management events: eventName=DeleteRecoveryPoint, eventSource=backup.amazonaws.com, three or more events from the same userIdentity.arn within a few minutes, with userIdentity.type NOT equal to AWSService.

  2. Test 2Simulate Azure Recovery Services Soft-Delete Disable Then Protected Item Removal

    Expected signal: Azure Activity Log entries: operationName=MICROSOFT.RECOVERYSERVICES/VAULTS/BACKUPCONFIG/WRITE (soft-delete disabled) followed within minutes by operationName=MICROSOFT.RECOVERYSERVICES/VAULTS/BACKUPFABRICS/BACKUPPROTECTIONCONTAINERS/PROTECTEDITEMS/DELETE, both with resultType=Success from the same caller.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-CloudBackup-SnapshotPurge — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub