https://feed.craftedsignal.io/tags/backup-deletion/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 18:12:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-backup-deletion/Wed, 03 Jan 2024 18:12:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-backup-deletion/This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.This rule identifies the deletion of backup files, specifically those created by Veeam and Veritas Backup Exec, through unexpected processes on Windows systems. The rule aims to detect potential attempts to inhibit system recovery by adversaries, particularly in the context of ransomware attacks. Attackers often target backup files to eliminate recovery options for victims. This detection focuses on identifying file deletion events where the process responsible for the deletion does not belong to the trusted backup software suite. The rule excludes known legitimate processes and directories like Trend Micro’s, Microsoft Exchange Mailbox Assistants, and the Recycle Bin to minimize false positives. The original Elastic detection rule was created in October 2021 and last updated May 4, 2026.

Attack Chain

1. Adversary gains initial access to the target Windows system.
2. The attacker performs reconnaissance to identify backup file locations.
3. The attacker uses a non-backup related process (e.g., cmd.exe, powershell.exe) to delete backup files.
4. The attacker targets Veeam backup files with extensions VBK, VIB, and VBM.
5. The attacker targets Veritas Backup Exec files with the BKF extension.
6. The deletion events are logged by the endpoint detection system.
7. The detection rule triggers, identifying the anomalous deletion activity based on file extension and process context.
8. Successful deletion of backups impairs the victim’s ability to recover from ransomware or other destructive attacks.

Impact

Successful deletion of backup files can severely impact an organization’s ability to recover from a ransomware attack or other data loss events. Without viable backups, the victim organization may be forced to pay a ransom or face significant data loss and business disruption. This tactic directly increases the attacker’s leverage and potential financial gain. The rule’s documentation cites a report from AdvIntel detailing backup removal solutions seen with Conti ransomware.

Recommendation

• Deploy the Sigma rule Unexpected Veeam Backup File Deletion to your SIEM and tune for your environment to detect unexpected deletion of Veeam backup files.
• Deploy the Sigma rule Unexpected Veritas Backup File Deletion to your SIEM and tune for your environment to detect unexpected deletion of Veritas Backup Exec files.
• Investigate any alerts generated by these rules to determine the source of the deletion and assess potential impact.
• Enable endpoint file event logging to capture file deletion events, which are crucial for the Sigma rules.
• Review process execution chains (parent process tree) for unknown processes to identify the root cause of unexpected file deletions.

]]>mediumadvisoryimpactbackup deletionransomwarehttps://feed.craftedsignal.io/briefs/2024-01-wbadmin-backup-deletion/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wbadmin-backup-deletion/Adversaries may delete Windows backup catalogs and system state backups using wbadmin.exe to inhibit system recovery, often as part of ransomware or other destructive attacks.Attackers, including ransomware groups, often attempt to remove or impair an organization’s ability to recover from an attack. One method to achieve this is by deleting Windows backup catalogs and system state backups using the wbadmin.exe utility. Windows Server Backup stores details about backups (what volumes are backed up and where the backups are located) in a backup catalog. Removing these catalogs renders backups unusable for recovery, increasing the impact of the attack. This technique is frequently observed in ransomware playbooks and other destructive attacks targeting Windows environments. This activity can be detected using endpoint detection and response (EDR) solutions, Windows Security Event Logs, and Sysmon.

Attack Chain

1. The attacker gains initial access to the system via phishing, exploiting a vulnerability, or using compromised credentials.
2. The attacker escalates privileges to administrator level to execute wbadmin.exe.
3. The attacker executes wbadmin.exe with the delete catalog command to remove backup catalogs.
4. The attacker executes wbadmin.exe with the delete systemstatebackup command to remove system state backups.
5. The attacker may also delete shadow copies using vssadmin.exe or wmic.exe to further hinder recovery.
6. The attacker deploys ransomware or initiates other destructive actions.
7. The attacker encrypts or destroys data on the system and connected network shares.
8. The attacker demands a ransom payment for data recovery, which is complicated by the deleted backups.

Impact

Successful deletion of backup catalogs and system state backups significantly impairs an organization’s ability to recover from a ransomware attack or other destructive event. This can lead to prolonged downtime, data loss, and financial losses associated with incident response and recovery efforts. While the number of direct victims of this specific technique is difficult to quantify, the impact is typically observed in conjunction with broader ransomware campaigns affecting organizations across various sectors.

Recommendation

• Enable Sysmon process creation logging with Event ID 1 to capture wbadmin.exe executions and activate the first Sigma rule.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
• Monitor Windows Security Event Logs for process creation events related to wbadmin.exe.
• Investigate any instances of wbadmin.exe executing with delete arguments.
• Review and harden account access controls to prevent unauthorized use of wbadmin.exe.

]]>mediumadvisoryimpactbackup-deletionwindows