Adversaries may delete backup files to prevent data recovery and obfuscate their presence, indicating potential ransomware activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware attacks before they cause irreversible data loss.
KQL Query
AlertInfo
| where Timestamp > ago(7d)
| where Title == "File backups were deleted"
id: 1df2054c-5c63-4a2c-943b-0069af45bd38
name: backup-deletion
description: |
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
The following query returns alerts raised when backup files were deleted.
The See also section below lists more queries related to techniques shared by these campaigns.
Reference - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
tactics:
- Defense evasion
- Impact
query: |
AlertInfo
| where Timestamp > ago(7d)
| where Title == "File backups were deleted"
Scenario: Scheduled Backup Cleanup Job
Description: A legitimate scheduled task runs to clean up old backup files to free up storage space.
Filter/Exclusion: process.name != "backup_cleanup.exe" OR process.name != "vss_admin.exe"
Scenario: System Maintenance Task (e.g., Windows Disk Cleanup)
Description: A system maintenance task is executed to remove temporary files or unused system components.
Filter/Exclusion: process.name != "cleanmgr.exe" OR process.name != "diskcleanup.exe"
Scenario: Admin Performing Manual Backup Deletion
Description: An administrator manually deletes old backups as part of routine maintenance or storage management.
Filter/Exclusion: user.name != "admin" OR user.name != "backup_admin" OR process.name != "del.exe"
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool temporarily deletes files during a scan or quarantine process.
Filter/Exclusion: process.name != "mpcmdrun.exe" OR process.name != "mcafee.exe" OR process.name != "avgnt.exe"
Scenario: Log File Rotation or Archive Management
Description: A log management tool rotates or archives log files, which may involve deleting old backups.
Filter/Exclusion: process.name != "logrotate.exe" OR process.name != "rsync.exe" OR process.name != "logrotate.sh"