GitHub Repo

Analytics Story: Data Destruction

Updated Date: 2026-05-13 ID: 4ae5c0d1-cebd-47d1-bfce-71bf096e38aa Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of "DoubleZero Destructor", "CaddyWiper", "AcidRain", "AwfulShred", "Hermetic Wiper", "Swift Slicer", "Whisper Gate" and many more.

Why it matters

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Runas Execution in CommandLine Token Impersonation/Theft Hunting
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Windows InstallUtil in Non Standard Path Rename Legitimate Utilities, InstallUtil TTP
AdsiSearcher Account Discovery Domain Account TTP
Screensaver Event Trigger Execution Screensaver TTP
Linux Indicator Removal Service File Deletion File Deletion Anomaly
Linux High Frequency Of File Deletion In Boot Folder File Deletion, Data Destruction TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Print Processor Registry Autostart Print Processors TTP
Detect Empire with PowerShell Script Block Logging PowerShell TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Parent PID Spoofing, Create or Modify System Process Anomaly
Linux Adding Crontab Using List Parameter Cron Hunting
Linux High Frequency Of File Deletion In Etc Folder File Deletion, Data Destruction Anomaly
Possible Lateral Movement PowerShell Spawn Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service Anomaly
Windows File Without Extension In Critical Folder Data Destruction TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Windows Disable Memory Crash Dump Data Destruction TTP
Linux Data Destruction Command Data Destruction TTP
Linux DD File Overwrite Data Destruction TTP
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows NirSoft Utilities Tool Hunting
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Powershell Fileless Process Injection via GetProcAddress Process Injection, PowerShell TTP
O365 Email Send and Hard Delete Suspicious Behavior Clear Mailbox Data, Local Email Collection, Data Destruction Anomaly
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Linux Stop Services Service Stop TTP
Windows Root Domain linked policies Discovery Domain Account Anomaly
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
Linux Auditd Dd File Overwrite Data Destruction TTP
Windows DotNet Binary in Non Standard Path Rename Legitimate Utilities, InstallUtil TTP
Linux Auditd Stop Services Service Stop Hunting
Powershell Processing Stream Of Data PowerShell TTP
Powershell Using memory As Backing Store PowerShell TTP
Linux Shred Overwrite Command Data Destruction TTP
Linux Auditd Shred Overwrite Command Data Destruction TTP
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall Anomaly
PowerShell - Connect To Internet With Hidden Window PowerShell Hunting
O365 Email Hard Delete Excessive Volume Clear Mailbox Data, Data Destruction Anomaly
ETW Registry Disabled Trusted Developer Utilities Proxy Execution, Disable or Modify Tools TTP
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Windows Processes Killed By Industroyer2 Malware Service Stop Anomaly
Unloading AMSI via Reflection PowerShell, Disable or Modify Tools TTP
Windows Terminating Lsass Process Disable or Modify Tools Anomaly
Linux Deletion Of Services File Deletion, Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Unix Shell Enable All SysRq Functions Unix Shell Anomaly
Linux Auditd Data Destruction Command Data Destruction TTP
Windows NirSoft AdvancedRun Tool TTP
Detect DNS Query to Decommissioned S3 Bucket Data Destruction Anomaly
O365 Email Password and Payroll Compromise Behavior Clear Mailbox Data, Local Email Collection, Data Destruction TTP
O365 Email Receive and Hard Delete Takeover Behavior Clear Mailbox Data, Local Email Collection, Data Destruction Anomaly
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Regsvr32 Silent and Install Param Dll Loading Regsvr32 Anomaly
Dump LSASS via comsvcs DLL LSASS Memory TTP
MSI Module Loaded by Non-System Binary DLL Hunting
Linux System Reboot Via System Request Key System Shutdown/Reboot TTP
O365 Email Send and Hard Delete Exfiltration Behavior Clear Mailbox Data, Local Email Collection, Data Destruction Anomaly
Windows NirSoft Tool Bundle File Created Tool Anomaly
Process Deleting Its Process File Path Indicator Removal TTP
Overwriting Accessibility Binaries Accessibility Features TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic TTP
Add or Set Windows Defender Exclusion Disable or Modify Tools TTP
Windows Deleted Registry By A Non Critical Process File Path Modify Registry Anomaly
Active Setup Registry Autostart Active Setup TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
PowerShell Domain Enumeration PowerShell TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools TTP
Suspicious Process With Discord DNS Query Visual Basic Anomaly
Linux System Network Discovery System Network Configuration Discovery Anomaly
Windows High File Deletion Frequency Data Destruction Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Windows Data Destruction Recursive Exec Files Deletion Data Destruction TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass PowerShell TTP
Time Provider Persistence Registry Time Providers TTP
WMI Recon Running Process Or Services Gather Victim Host Information Anomaly
Linux Disable Services Service Stop TTP
Windows Linked Policies In ADSI Discovery Domain Account Anomaly
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Linux Indicator Removal Clear Cache Indicator Removal TTP
Logon Script Event Trigger Execution Logon Script (Windows) TTP
Powershell Remove Windows Defender Directory Disable or Modify Tools TTP
Linux Impair Defenses Process Kill Disable or Modify Tools Hunting
Web or Application Server Spawning a Shell External Remote Services, Exploit Public-Facing Application TTP
Windows File Download Via PowerShell PowerShell, Ingress Tool Transfer Anomaly
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Powershell Enable SMB1Protocol Feature Indicator Removal from Tools TTP
Powershell Execute COM Object PowerShell, Component Object Model Hijacking TTP
Email Attachments With Lots Of Spaces Masquerade File Type, Spearphishing Attachment Anomaly
Schtasks Run Task On Demand Scheduled Task/Job Anomaly
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Windows Sensitive Registry Hive Dump Via CommandLine Security Account Manager TTP
Windows Attempt To Stop Security Service Disable or Modify Tools TTP
Windows New Default File Association Value Set Change Default File Association Hunting
Linux Auditd Hardware Addition Swapoff Hardware Additions Anomaly
Kerberoasting spn request with RC4 encryption Kerberoasting TTP
Detect Web Access to Decommissioned S3 Bucket Data Destruction Anomaly
Ping Sleep Batch Command Time Based Checks Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Linux Deletion Of Init Daemon Script File Deletion, Data Destruction TTP
Linux Hardware Addition SwapOff Hardware Additions Anomaly
Malicious PowerShell Process With Obfuscation Techniques PowerShell TTP
Linux Auditd Service Restarted Systemd Timers Anomaly
Linux Service Restarted Systemd Timers Anomaly
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Registry Keys Used For Privilege Escalation Image File Execution Options Injection TTP
Linux Deletion Of Cron Jobs File Deletion, Data Destruction Anomaly
Recon Using WMI Class PowerShell, Gather Victim Host Information Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 26 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Office 365 Universal Audit Log Other o365:management:activity o365
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Linux Auditd Proctitle Linux icon Linux auditd auditd
Linux Auditd Service Stop Linux icon Linux auditd auditd
Sysmon EventID 5 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Office 365 Reporting Message Trace Other o365:reporting:messagetrace o365
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Osquery Results Other osquery:results osquery
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Linux Auditd Execve Linux icon Linux auditd auditd
Windows Event Log Security 4769 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
AWS Cloudfront AWS icon AWS aws:cloudfront:accesslogs aws

References

Source: GitHub | Version: 2