Techniques
Sample rules
Backup Files Deleted
- source: sigma
- technicques:
- t1490
Description
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
Detection logic
condition: selection
selection:
Image|endswith:
- \cmd.exe
- \powershell.exe
- \pwsh.exe
- \wt.exe
- \rundll32.exe
- \regsvr32.exe
TargetFilename|endswith:
- .VHD
- .bac
- .bak
- .wbcat
- .bkf
- .set
- .win
- .dsk