{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/backup-deletion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Backup Exec","Veeam","Microsoft Power BI Enterprise Gateway","Trend Micro"],"_cs_severities":["medium"],"_cs_tags":["impact","backup deletion","ransomware"],"_cs_type":"advisory","_cs_vendors":["Elastic","Veritas","Veeam","Trend Micro","Microsoft"],"content_html":"\u003cp\u003eThis rule identifies the deletion of backup files, specifically those created by Veeam and Veritas Backup Exec, through unexpected processes on Windows systems. The rule aims to detect potential attempts to inhibit system recovery by adversaries, particularly in the context of ransomware attacks. Attackers often target backup files to eliminate recovery options for victims. This detection focuses on identifying file deletion events where the process responsible for the deletion does not belong to the trusted backup software suite. The rule excludes known legitimate processes and directories like Trend Micro\u0026rsquo;s, Microsoft Exchange Mailbox Assistants, and the Recycle Bin to minimize false positives. The original Elastic detection rule was created in October 2021 and last updated May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the target Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify backup file locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a non-backup related process (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to delete backup files.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veeam backup files with extensions \u003ccode\u003eVBK\u003c/code\u003e, \u003ccode\u003eVIB\u003c/code\u003e, and \u003ccode\u003eVBM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veritas Backup Exec files with the \u003ccode\u003eBKF\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe deletion events are logged by the endpoint detection system.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, identifying the anomalous deletion activity based on file extension and process context.\u003c/li\u003e\n\u003cli\u003eSuccessful deletion of backups impairs the victim\u0026rsquo;s ability to recover from ransomware or other destructive attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of backup files can severely impact an organization\u0026rsquo;s ability to recover from a ransomware attack or other data loss events. Without viable backups, the victim organization may be forced to pay a ransom or face significant data loss and business disruption. This tactic directly increases the attacker\u0026rsquo;s leverage and potential financial gain. The rule\u0026rsquo;s documentation cites a report from AdvIntel detailing backup removal solutions seen with Conti ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veeam Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veeam backup files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veritas Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veritas Backup Exec files.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the source of the deletion and assess potential impact.\u003c/li\u003e\n\u003cli\u003eEnable endpoint file event logging to capture file deletion events, which are crucial for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview process execution chains (parent process tree) for unknown processes to identify the root cause of unexpected file deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"/briefs/2024-01-03-backup-deletion/","summary":"This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.","title":"Third-party Backup Files Deleted via Unexpected Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-backup-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["impact","backup-deletion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers, including ransomware groups, often attempt to remove or impair an organization\u0026rsquo;s ability to recover from an attack. One method to achieve this is by deleting Windows backup catalogs and system state backups using the \u003ccode\u003ewbadmin.exe\u003c/code\u003e utility. Windows Server Backup stores details about backups (what volumes are backed up and where the backups are located) in a backup catalog. Removing these catalogs renders backups unusable for recovery, increasing the impact of the attack. This technique is frequently observed in ransomware playbooks and other destructive attacks targeting Windows environments. This activity can be detected using endpoint detection and response (EDR) solutions, Windows Security Event Logs, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to administrator level to execute wbadmin.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003edelete catalog\u003c/code\u003e command to remove backup catalogs.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003edelete systemstatebackup\u003c/code\u003e command to remove system state backups.\u003c/li\u003e\n\u003cli\u003eThe attacker may also delete shadow copies using \u003ccode\u003evssadmin.exe\u003c/code\u003e or \u003ccode\u003ewmic.exe\u003c/code\u003e to further hinder recovery.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware or initiates other destructive actions.\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts or destroys data on the system and connected network shares.\u003c/li\u003e\n\u003cli\u003eThe attacker demands a ransom payment for data recovery, which is complicated by the deleted backups.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of backup catalogs and system state backups significantly impairs an organization\u0026rsquo;s ability to recover from a ransomware attack or other destructive event. This can lead to prolonged downtime, data loss, and financial losses associated with incident response and recovery efforts. While the number of direct victims of this specific technique is difficult to quantify, the impact is typically observed in conjunction with broader ransomware campaigns affecting organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging with Event ID 1 to capture \u003ccode\u003ewbadmin.exe\u003c/code\u003e executions and activate the first Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for process creation events related to \u003ccode\u003ewbadmin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003ewbadmin.exe\u003c/code\u003e executing with \u003ccode\u003edelete\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eReview and harden account access controls to prevent unauthorized use of \u003ccode\u003ewbadmin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-wbadmin-backup-deletion/","summary":"Adversaries may delete Windows backup catalogs and system state backups using wbadmin.exe to inhibit system recovery, often as part of ransomware or other destructive attacks.","title":"Windows Backup Deletion via Wbadmin","url":"https://feed.craftedsignal.io/briefs/2024-01-wbadmin-backup-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Backup-Deletion","version":"https://jsonfeed.org/version/1.1"}