heroui logo

Backup Files Deleted

Sigma Rules

View Source
Summary
This detection rule is designed to identify the deletion of specific file types that are commonly associated with backup files on Windows systems. Adversaries might target these files to hinder recovery efforts after a malicious activity or during an attack that involves data destruction. The rule specifically monitors for file deletions triggered by certain processes, including command and scripting interfaces such as cmd.exe and powershell.exe. The target file extensions included in the rule are `.VHD`, `.bak`, `.wbcat`, among others, which are indicative of backup and recovery files. The detection logic is contingent upon observing the specified images (such as command-line utilities) and file types being targeted for deletion. Acknowledging false positives is crucial, as legitimate administrative activities may involve the removal of these backup files.
Categories
  • Windows
  • Endpoint
Data Sources
  • File
ATT&CK Techniques
  • T1490
Created: 2022-01-02