Detection: Windows Data Destruction Recursive Exec Files Deletion

Updated Date: 2025-05-02 ID: 3596a799-6320-4a2f-8772-a9e98ddb2960 Author: Teoderick Contreras, Splunk, Steven Dick Type: TTP Product: Splunk Enterprise Security

Description

The following analytic identifies a suspicious process that is recursively deleting executable files on a compromised host. It leverages Sysmon Event Codes 23 and 26 to detect this activity by monitoring for a high volume of deletions or overwrites of files with extensions like .exe, .sys, and .dll. This behavior is significant as it is commonly associated with destructive malware such as CaddyWiper, DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed malicious, this activity could lead to significant data loss and system instability, severely impacting business operations.

1`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll") 
2| bin _time span=2m 
3| stats count min(_time) as firstTime, max(_time) as lastTime values(file_path) as file_path values(file_hash) as file_hash values(file_name) as file_name values(file_modify_time) as file_modify_time values(process_name) as process_name values(process_path) as process_path values(process_guid) as process_guid values(process_id) as process_id values(process_exec) as process_exec by action dest dvc signature signature_id user user_id vendor_product 
4| where count >=100 
5| `security_content_ctime(firstTime)` 
6| `security_content_ctime(lastTime)` 
7| `windows_data_destruction_recursive_exec_files_deletion_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 23 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
Sysmon EventID 26 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_data_destruction_recursive_exec_files_deletion_filter search *
windows_data_destruction_recursive_exec_files_deletion_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1485 Data Destruction Impact
Actions on Objectives
DE.CM
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.

Known False Positives

The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$.

Risk Object Risk Object Type Risk Score Threat Objects
dest system 64 No Threat Objects
user user 64 No Threat Objects

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 7