Impact

This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.

This brief focuses on detecting deletion actions within GitHub audit logs, specifically targeting the deletion of codespaces, environments, projects, and repositories, potentially indicating malicious activity or insider threats.

Multiple vulnerabilities in Dell PowerProtect Data Domain OS allow an attacker to execute arbitrary code with root privileges, escalate privileges to administrator, bypass security measures, manipulate data, disclose sensitive information, or conduct unspecified attacks.

An adversary may delete an AWS SAML provider to disrupt administrative access, hindering incident response and potentially escalating privileges within the AWS environment.

An Okta network zone was deactivated or deleted, potentially indicating malicious activity aimed at bypassing security controls.

This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.

Detection of GitHub repository archiving or unarchiving events, which could indicate malicious activity such as persistence, impact, or defense impairment.

This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.

This rule identifies the use of bcdedit.exe to modify boot configuration data, which may be indicative of a destructive attack or ransomware activity aimed at inhibiting system recovery by disabling error recovery or ignoring boot failures.

This alert identifies when an application is deleted within an Azure environment, which could indicate malicious activity or unintended misconfiguration leading to service disruption.

Adversaries may delete Windows backup catalogs and system state backups using wbadmin.exe to inhibit system recovery, often as part of ransomware or other destructive attacks.

Attackers disable Windows System Restore by modifying specific registry keys to hinder recovery efforts after malicious activity.

The rule detects attempts to reset potentially privileged account passwords remotely, a tactic used by adversaries to maintain access, evade password policies, and preserve compromised credentials.

A high number of process terminations (stop, delete, or suspend) from the same Windows host within a short time period may indicate malicious activity such as an attacker attempting to disable security measures or prepare for ransomware deployment.