{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/veritas/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Backup Exec","Veeam","Microsoft Power BI Enterprise Gateway","Trend Micro"],"_cs_severities":["medium"],"_cs_tags":["impact","backup deletion","ransomware"],"_cs_type":"advisory","_cs_vendors":["Elastic","Veritas","Veeam","Trend Micro","Microsoft"],"content_html":"\u003cp\u003eThis rule identifies the deletion of backup files, specifically those created by Veeam and Veritas Backup Exec, through unexpected processes on Windows systems. The rule aims to detect potential attempts to inhibit system recovery by adversaries, particularly in the context of ransomware attacks. Attackers often target backup files to eliminate recovery options for victims. This detection focuses on identifying file deletion events where the process responsible for the deletion does not belong to the trusted backup software suite. The rule excludes known legitimate processes and directories like Trend Micro\u0026rsquo;s, Microsoft Exchange Mailbox Assistants, and the Recycle Bin to minimize false positives. The original Elastic detection rule was created in October 2021 and last updated May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the target Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify backup file locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a non-backup related process (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to delete backup files.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veeam backup files with extensions \u003ccode\u003eVBK\u003c/code\u003e, \u003ccode\u003eVIB\u003c/code\u003e, and \u003ccode\u003eVBM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veritas Backup Exec files with the \u003ccode\u003eBKF\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe deletion events are logged by the endpoint detection system.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, identifying the anomalous deletion activity based on file extension and process context.\u003c/li\u003e\n\u003cli\u003eSuccessful deletion of backups impairs the victim\u0026rsquo;s ability to recover from ransomware or other destructive attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of backup files can severely impact an organization\u0026rsquo;s ability to recover from a ransomware attack or other data loss events. Without viable backups, the victim organization may be forced to pay a ransom or face significant data loss and business disruption. This tactic directly increases the attacker\u0026rsquo;s leverage and potential financial gain. The rule\u0026rsquo;s documentation cites a report from AdvIntel detailing backup removal solutions seen with Conti ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veeam Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veeam backup files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veritas Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veritas Backup Exec files.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the source of the deletion and assess potential impact.\u003c/li\u003e\n\u003cli\u003eEnable endpoint file event logging to capture file deletion events, which are crucial for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview process execution chains (parent process tree) for unknown processes to identify the root cause of unexpected file deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"/briefs/2024-01-03-backup-deletion/","summary":"This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.","title":"Third-party Backup Files Deleted via Unexpected Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-backup-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Veritas","version":"https://jsonfeed.org/version/1.1"}