Third-party Backup Files Deleted via Unexpected Process

edit

Third-party Backup Files Deleted via Unexpected Process

edit

Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a Ransomware attack is less likely.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Impact

Version: 1

Added (Elastic Stack release): 7.16.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.

Rule query

edit
file where event.type == "deletion" and ( /* Veeam Related Backup
Files */ (file.extension : ("VBK", "VIB", "VBM") and not
process.executable : ("?:\\Windows\\Veeam\\Backup\\*",
"?:\\Program Files\\Veeam\\Backup and Replication\\*",
"?:\\Program Files (x86)\\Veeam\\Backup and Replication\\*")) or /*
Veritas Backup Exec Related Backup File */ (file.extension : "BKF"
and not process.executable : ("?:\\Program Files\\Veritas\\Backup
Exec\\*", "?:\\Program Files
(x86)\\Veritas\\Backup Exec\\*")) )

Threat mapping

edit

Framework: MITRE ATT&CKTM