Third-party Backup Files Deleted via Unexpected Process

This rule identifies the deletion of backup files, specifically those created by Veeam and Veritas Backup Exec, through unexpected processes on Windows systems. The rule aims to detect potential attempts to inhibit system recovery by adversaries, particularly in the context of ransomware attacks. Attackers often target backup files to eliminate recovery options for victims. This detection focuses on identifying file deletion events where the process responsible for the deletion does not belong to the trusted backup software suite. The rule excludes known legitimate processes and directories like Trend Micro’s, Microsoft Exchange Mailbox Assistants, and the Recycle Bin to minimize false positives. The original Elastic detection rule was created in October 2021 and last updated May 4, 2026.

Attack Chain

1. Adversary gains initial access to the target Windows system.
2. The attacker performs reconnaissance to identify backup file locations.
3. The attacker uses a non-backup related process (e.g., cmd.exe, powershell.exe) to delete backup files.
4. The attacker targets Veeam backup files with extensions VBK, VIB, and VBM.
5. The attacker targets Veritas Backup Exec files with the BKF extension.
6. The deletion events are logged by the endpoint detection system.
7. The detection rule triggers, identifying the anomalous deletion activity based on file extension and process context.
8. Successful deletion of backups impairs the victim’s ability to recover from ransomware or other destructive attacks.

Impact

Successful deletion of backup files can severely impact an organization’s ability to recover from a ransomware attack or other data loss events. Without viable backups, the victim organization may be forced to pay a ransom or face significant data loss and business disruption. This tactic directly increases the attacker’s leverage and potential financial gain. The rule’s documentation cites a report from AdvIntel detailing backup removal solutions seen with Conti ransomware.

Recommendation

• Deploy the Sigma rule Unexpected Veeam Backup File Deletion to your SIEM and tune for your environment to detect unexpected deletion of Veeam backup files.
• Deploy the Sigma rule Unexpected Veritas Backup File Deletion to your SIEM and tune for your environment to detect unexpected deletion of Veritas Backup Exec files.
• Investigate any alerts generated by these rules to determine the source of the deletion and assess potential impact.
• Enable endpoint file event logging to capture file deletion events, which are crucial for the Sigma rules.
• Review process execution chains (parent process tree) for unknown processes to identify the root cause of unexpected file deletions.