Data Destruction

Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and encrypting files.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2022-02-14
• Author: Teoderick Contreras, Splunk
• ID: 4ae5c0d1-cebd-47d1-bfce-71bf096e38aa

Narrative

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

Detections

Name	Technique	Type
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
Executable File Written in Administrative SMB Share	Remote Services, SMB/Windows Admin Shares	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	TTP
Linux DD File Overwrite	Data Destruction	TTP
Linux Deleting Critical Directory Using RM Command	Data Destruction	TTP
Linux High Frequency Of File Deletion In Boot Folder	Data Destruction, File Deletion, Indicator Removal on Host	TTP
Regsvr32 Silent and Install Param Dll Loading	Signed Binary Proxy Execution, Regsvr32	Anomaly
Suspicious Process File Path	Create or Modify System Process	TTP
Windows Disable Memory Crash Dump	Data Destruction	TTP
Windows File Without Extension In Critical Folder	Data Destruction	TTP
Windows Modify Show Compress Color And Info Tip Registry	Modify Registry	TTP
Windows Raw Access To Disk Volume Partition	Disk Structure Wipe, Disk Wipe	Anomaly
Windows Raw Access To Master Boot Record Drive	Disk Structure Wipe, Disk Wipe	TTP

Reference

• https://attack.mitre.org/techniques/T1485/
• https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
• https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware

source | version: 1