LoFP / the uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. a filter is necessary to reduce false positives.

Techniques

• T1485

Sample rules

Windows Data Destruction Recursive Exec Files Deletion

• source: splunk
• technicques:
  • T1485

Description

This analytic identifies a suspicious process that is recursively deleting files on a compromised host. This behavior has been observed in several types of destructive malware, such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite files with randomly generated strings to make recovery impossible. Additionally, this analytic can detect potential recursive file writes across multiple files using Sysmon Event 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. This analytic serves as a strong indicator of potential destructive malware activity on a host machine or the uninstallation of a large software application.

Detection logic

`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll") 
| bin _time span=2m 
| stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid 
| rename Image as process 
| where count >=500 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_data_destruction_recursive_exec_files_deletion_filter`