title: Data Destruction (T1485)
id: df00tech-t1485
status: experimental
description: "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Unlike simple deletion commands (del, rm) that only remove file pointers, data destruction involves overwriting file contents with random data, zeroes, or image files to prevent forensic recovery. Real-world examples include Shamoon (overwrites with image files), WhisperGate (corrupts first 1MB with 0xCC bytes), HermeticWiper (recursive folder wiping via FSCTL_MOVE_FILE), Industroyer (clears registry keys and overwrites ICS configuration files), and Olympic Destroyer (overwrites local and remote shares). Adversaries commonly pair file destruction with Volume Shadow Copy deletion and boot recovery disabling to maximize irrecoverability. In cloud environments, adversaries may delete storage objects, VM images, database instances, and backup vaults to damage an organization's operational continuity."
references:
  - https://attack.mitre.org/techniques/T1485/
  - https://df00tech.com/detections/T1485
author: df00tech
date: 2026/04/13
tags:
  - attack.t1485
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup software (Veeam, Commvault, Windows Server Backup) that uses vssadmin to manage shadow copy storage size and delete oldest snapshots as part of configured retention policies"
  - IT administrators running sdelete or cipher /w as part of approved data sanitization procedures before hardware decommission or secure disposal
  - "System administrators using bcdedit to configure dual-boot environments, change default OS entries, or modify boot settings during authorized OS maintenance windows"
  - Security testing tools and penetration testing engagements running data destruction simulations on designated test systems with change management approval
  - Automated disk imaging and OS provisioning workflows that use format.exe or diskpart as part of system reimaging pipelines on known build servers
level: critical