Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and encrypting files.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-02-14
  • Author: Teoderick Contreras, Splunk
  • ID: 4ae5c0d1-cebd-47d1-bfce-71bf096e38aa

Narrative

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

Detections

Name Technique Type
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading TTP
Linux DD File Overwrite Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux High Frequency Of File Deletion In Boot Folder Data Destruction, File Deletion, Indicator Removal on Host TTP
Regsvr32 Silent and Install Param Dll Loading Signed Binary Proxy Execution, Regsvr32 Anomaly
Suspicious Process File Path Create or Modify System Process TTP
Windows Disable Memory Crash Dump Data Destruction TTP
Windows File Without Extension In Critical Folder Data Destruction TTP
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP

Reference

source | version: 1