Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-CloudBackup-SnapshotPurge.
Upgrade to ProDetect Cloud Backup Vault and Snapshot Deletion Prior to Ransomware Detonation in Microsoft Sentinel
As organizations move backup targets from on-premises VSS/wbadmin to cloud-native services (AWS Backup, EBS/RDS snapshots, Azure Recovery Services vaults, Azure managed-disk snapshots), ransomware affiliates have adapted their recovery-inhibition step to match: rather than running vssadmin on an endpoint, the attacker who has obtained cloud administrative credentials calls the backup/snapshot service's own deletion APIs directly. Observed patterns include bulk deletion of AWS Backup recovery points and backup vaults (DeleteRecoveryPoint, DeleteBackupVault, DeleteBackupPlan, DeleteBackupSelection), direct deletion of EC2/RDS snapshots (DeleteSnapshot, DeleteDBSnapshot, DeleteDBClusterSnapshot), and — on Azure — first disabling the Recovery Services vault's soft-delete protection before deleting protected items or the vault itself (soft-delete exists specifically to survive this attack, so its removal is itself a strong signal), plus deletion of standalone managed-disk snapshots. This is functionally identical in intent to T1490's on-host VSS/BCD deletion but lives entirely in cloud control-plane audit logs (AWS CloudTrail, Azure Activity Log) rather than endpoint telemetry, and the key discriminator from legitimate lifecycle-policy cleanup is who/what made the call: automated retention-policy expiration is initiated by the backup service itself (e.g. CloudTrail invokedBy backup.amazonaws.com), while an interactive IAM user or role deleting many recovery points/vaults in a short window is anomalous and, combined with a soft-delete-disable step on Azure, should be treated as an active pre-encryption indicator.
MITRE ATT&CK
- Tactic
- Impact
KQL Detection Query
// THREAT-CloudBackup-SnapshotPurge (T1490 Inhibit System Recovery - cloud control plane)
let Lookback = 24h;
let BurstWindow = 30m;
let MinBurstCount = 3;
// AWS: bulk deletion of AWS Backup recovery points/vaults/plans and EC2/RDS snapshots, excluding service-initiated lifecycle expiration
let AwsDeletions = AWSCloudTrail
| where TimeGenerated > ago(Lookback)
| where EventName in ("DeleteRecoveryPoint", "DeleteBackupVault", "DeleteBackupPlan", "DeleteBackupSelection", "DeleteSnapshot", "DeleteDBSnapshot", "DeleteDBClusterSnapshot")
| where ErrorCode == "" or isempty(ErrorCode)
| where UserIdentityType != "AWSService" and UserIdentityInvokedBy != "backup.amazonaws.com"
| summarize DeleteCount = count(), Targets = make_set(EventName), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by UserIdentityArn, RecipientAccountId, bin(TimeGenerated, BurstWindow)
| where DeleteCount >= MinBurstCount
| extend CloudProvider = "AWS", Identity = UserIdentityArn, AccountOrSubscription = RecipientAccountId;
// Azure: soft-delete disablement on a Recovery Services vault, or deletion of protected items / the vault / managed-disk snapshots
let AzureDeletions = AzureActivity
| where TimeGenerated > ago(Lookback)
| where OperationNameValue has_any (
"MICROSOFT.RECOVERYSERVICES/VAULTS/BACKUPCONFIG/WRITE",
"MICROSOFT.RECOVERYSERVICES/VAULTS/BACKUPFABRICS/BACKUPPROTECTIONCONTAINERS/PROTECTEDITEMS/DELETE",
"MICROSOFT.RECOVERYSERVICES/VAULTS/DELETE",
"MICROSOFT.COMPUTE/SNAPSHOTS/DELETE"
)
| where ActivityStatusValue == "Succeeded"
| summarize DeleteCount = count(), Targets = make_set(OperationNameValue), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Caller, SubscriptionId, bin(TimeGenerated, BurstWindow)
| where DeleteCount >= MinBurstCount
| extend CloudProvider = "Azure", Identity = Caller, AccountOrSubscription = SubscriptionId;
union AwsDeletions, AzureDeletions
| project TimeGenerated, CloudProvider, Identity, AccountOrSubscription, DeleteCount, Targets, FirstSeen, LastSeen
| sort by DeleteCount desc, TimeGenerated desc Cross-cloud detection over AWS CloudTrail and Azure Activity Log for burst deletion of backup/recovery infrastructure. AWS side flags 3+ DeleteRecoveryPoint/DeleteBackupVault/DeleteBackupPlan/DeleteBackupSelection/DeleteSnapshot/DeleteDBSnapshot/DeleteDBClusterSnapshot calls by the same identity within a 30-minute window, explicitly excluding calls made by the AWS Backup service itself (routine retention-policy expiration). Azure side flags the same burst pattern for Recovery Services vault soft-delete disablement, protected-item/vault deletion, and managed-disk snapshot deletion. Deliberately excludes single, isolated deletions (common for legitimate ad-hoc cleanup) and focuses on the burst pattern characteristic of an attacker methodically clearing recovery options before or during encryption.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate backup lifecycle/retention policy expiration — should already be excluded by the UserIdentityType/InvokedBy filter on the AWS side, but verify the filter matches your account's actual invokedBy value if using a custom automation Lambda that wraps the Backup service calls
- Planned decommissioning of an environment (e.g. end-of-project cleanup) where an admin intentionally deletes backup vaults and recovery points in bulk — cross-reference against a change ticket
- Cost-optimization projects that intentionally prune old EBS/RDS snapshots in bulk via a script run by an authorized engineer
- Migration projects that disable Azure Backup soft-delete temporarily to allow immediate vault re-registration or region migration
- Security/compliance teams testing backup restore and deletion procedures in a non-production subscription or account
Other platforms for THREAT-CloudBackup-SnapshotPurge
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate AWS Backup Recovery Point Deletion Burst
Expected signal: AWS CloudTrail management events: eventName=DeleteRecoveryPoint, eventSource=backup.amazonaws.com, three or more events from the same userIdentity.arn within a few minutes, with userIdentity.type NOT equal to AWSService.
- Test 2Simulate Azure Recovery Services Soft-Delete Disable Then Protected Item Removal
Expected signal: Azure Activity Log entries: operationName=MICROSOFT.RECOVERYSERVICES/VAULTS/BACKUPCONFIG/WRITE (soft-delete disabled) followed within minutes by operationName=MICROSOFT.RECOVERYSERVICES/VAULTS/BACKUPFABRICS/BACKUPPROTECTIONCONTAINERS/PROTECTEDITEMS/DELETE, both with resultType=Success from the same caller.
References (7)
- https://attack.mitre.org/techniques/T1490/
- https://attack.mitre.org/tactics/TA0040/
- https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteRecoveryPoint.html
- https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVault.html
- https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud
- https://learn.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-CloudBackup-SnapshotPurge — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month