users may delete a large number of pictures or files in a folder, which could trigger this detection. additionally, heavy usage of powerbi and outlook may also result in false positives.

Techniques

T1485

Sample rules

Windows High File Deletion Frequency

source: splunk
technicques:
- T1485

Description

This search identifies a high frequency of file deletions relative to the process name and process ID. Such events typically occur when ransomware attempts to encrypt files with specific extensions, leading Sysmon to treat the original files as deleted as soon as they are replaced with encrypted data.

Detection logic

`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.cmd", "*.ini","*.gif", "*.jpg", "*.jpeg", "*.db", "*.ps1", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.bmp","*.zip", "*.rar", "*.7z", "*.chm", "*.png", "*.log", "*.vbs", "*.js", "*.vhd", "*.bak", "*.wbcat", "*.bkf" , "*.backup*", "*.dsk", "*.win") NOT TargetFilename IN ("*\\INetCache\\Content.Outlook\\*") 
| stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid 
| rename Image as process 
| where count >=100 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_high_file_deletion_frequency_filter`