Adversaries may delete backup files to eliminate evidence of their presence or to prevent system recovery after compromising an environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence tactics early.
Detection Rule
title: Backup Files Deleted
id: 06125661-3814-4e03-bfa2-1e4411c60ac3
status: test
description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files
author: frack113
date: 2022-01-02
modified: 2023-02-15
tags:
- attack.impact
- attack.t1490
logsource:
product: windows
category: file_delete
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wt.exe'
- '\rundll32.exe'
- '\regsvr32.exe'
TargetFilename|endswith:
- '.VHD'
- '.bac'
- '.bak'
- '.wbcat'
- '.bkf'
- '.set'
- '.win'
- '.dsk'
condition: selection
falsepositives:
- Legitimate usage
level: medium
imFileEvent
| where (TargetFilePath endswith "\\cmd.exe" or TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe" or TargetFilePath endswith "\\wt.exe" or TargetFilePath endswith "\\rundll32.exe" or TargetFilePath endswith "\\regsvr32.exe") and (TargetFileName endswith ".VHD" or TargetFileName endswith ".bac" or TargetFileName endswith ".bak" or TargetFileName endswith ".wbcat" or TargetFileName endswith ".bkf" or TargetFileName endswith ".set" or TargetFileName endswith ".win" or TargetFileName endswith ".dsk")Scenario: Scheduled Backup Job Completion
Description: A legitimate backup job (e.g., using Veeam, Acronis, or Microsoft Backup) completes and deletes temporary backup files or logs.
Filter/Exclusion: Check for processes associated with backup tools (e.g., veeam.exe, acronisbackup.exe) or use a filter like process.name IN ("veeam.exe", "acronisbackup.exe").
Scenario: System Maintenance Task
Description: A system maintenance task (e.g., Windows Task Scheduler job) deletes old backup files to free up disk space.
Filter/Exclusion: Filter by user account (e.g., user.name == "SYSTEM" or user.name == "LocalService") or check for task scheduler-related processes (e.g., schtasks.exe).
Scenario: Admin Cleanup of Temporary Files
Description: An administrator manually or via script (e.g., PowerShell or batch) deletes temporary backup files during routine system cleanup.
Filter/Exclusion: Use a filter for known admin accounts (e.g., user.name == "Administrator") or check for script execution (e.g., process.name == "powershell.exe" with command-line arguments indicating cleanup).
Scenario: Version Control System Cleanup
Description: A version control system (e.g., Git, SVN) or CI/CD tool (e.g., Jenkins, GitHub Actions) deletes old backup files during a repository cleanup or artifact purge.
Filter/Exclusion: Filter by process names associated with version control (e.g., git.exe, jenkins.exe) or check for known CI/CD tool activity.
Scenario: Database Backup Rotation
Description: A database backup rotation process (e.g., using SQL Server Backup, Oracle RMAN, or MySQL `mys