T1485 Data Destruction

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).

In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1485 Data Destruction
Comments
This diagnostic statement protects against Data Destruction through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    PR.AA-05.02 Privileged system access Mitigates T1485 Data Destruction
    Comments
    This diagnostic statement protects against Data Destruction through the use of privileged account management and the use of multi-factor authentication.
    References
      PR.DS-11.01 Data backup and replication Mitigates T1485 Data Destruction
      Comments
      This diagnostic statement provides protection from adversaries that may try to destroy data and files on systems or on a network/network resource. Implementing data backup or disaster recovery plan can be used to restore organizational data.
      References
        PR.PS-01.07 Cryptographic keys and certificates Mitigates T1485 Data Destruction
        Comments
        This diagnostic statement protects against Data Destruction through the use of revocation of keys and key management used in multi-factor authentication. Employing key protection strategies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to destroy data.
        References
          ID.IM-02.06 Accurate data recovery Mitigates T1485 Data Destruction
          Comments
          This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to destroy data and/or files on systems found within a large network.
          References
            PR.IR-04.02 Availability and capacity management Mitigates T1485 Data Destruction
            Comments
            This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by destroying data files. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information. Additionally, the use of multi-factor authentication serves as an effective measure to restrict unauthorized access to credentials, thereby reducing the risk of data destruction.
            References
              PR.PS-01.09 Virtualized end point protection Mitigates T1485 Data Destruction
              Comments
              The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. They may delete virtual machines from on-prem virtualized environments. For example, implementing multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure.
              References
                PR.AA-01.01 Identity and credential management Mitigates T1485 Data Destruction
                Comments
                This diagnostic statement protects against Data Destruction through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                References

                  NIST 800-53 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  CP-07 Alternate Processing Site mitigates T1485 Data Destruction
                  CP-10 System Recovery and Reconstitution mitigates T1485 Data Destruction
                  CP-02 Contingency Plan mitigates T1485 Data Destruction
                  CP-09 System Backup mitigates T1485 Data Destruction
                  SI-03 Malicious Code Protection mitigates T1485 Data Destruction
                  SI-07 Software, Firmware, and Information Integrity mitigates T1485 Data Destruction
                  CM-02 Baseline Configuration mitigates T1485 Data Destruction
                  SI-04 System Monitoring mitigates T1485 Data Destruction
                  AC-03 Access Enforcement mitigates T1485 Data Destruction
                  AC-06 Least Privilege mitigates T1485 Data Destruction

                  VERIS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1485 Data Destruction
                  action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1485 Data Destruction
                  attribute.availability.variety.Destruction Destruction related-to T1485 Data Destruction
                  attribute.availability.variety.Interruption Interruption related-to T1485 Data Destruction

                  Azure Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  defender_for_storage Microsoft Defender for Cloud: Defender for Storage technique_scores T1485 Data Destruction
                  Comments
                  This control may generate alerts when there has been an unusual or unexpected delete operation within Azure cloud storage. Alerts may not be generated by disabling of storage backups, versioning, or editing of storage objects.
                  References
                  ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1485 Data Destruction
                  Comments
                  This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
                  References
                  azure_backup Azure Backup technique_scores T1485 Data Destruction
                  Comments
                  Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
                  References
                  azure_policy Azure Policy technique_scores T1485 Data Destruction
                  Comments
                  This control may provide recommendations to enable soft deletion and purge protection in Azure Key Vault. This can help mitigate against malicious deletion of keys and secrets stored within Key Vault.
                  References

                  GCP Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  backup_and_dr_actifiogo Backup and DR-Actifio GO technique_scores T1485 Data Destruction
                  Comments
                  Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to a Data Destruction event since an organization could easily restore lost data back to the latest backup.
                  References

                  AWS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  amazon_guardduty Amazon GuardDuty technique_scores T1485 Data Destruction
                  Comments
                  The following GuardDuty finding type flags events where adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Impact:S3/MaliciousIPCaller, Impact:IAMUser/AnomalousBehavior Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux
                  References
                  aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1485 Data Destruction
                  Comments
                  AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
                  References
                  aws_config AWS Config technique_scores T1485 Data Destruction
                  Comments
                  The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include data destruction: "s3-bucket-blacklisted-actions-prohibited" checks whether bucket policies prohibit disallowed actions (including S3:DeleteObject) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and "s3-bucket-public-write-prohibited" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of data destruction: "aurora-mysql-backtracking-enabled" for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront. The following AWS Config managed rules provide specific detections for configuration problems that should be fixed in order to prevent malicious deletion of specific data: "elb-deletion-protection-enabled" for Elastic Block Store (EBS) volumes, and "rds-cluster-deletion-protection-enabled" and "rds-instance-deletion-protection-enabled" for RDS data. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against destruction, resulting in an overall score of Partial.
                  References
                  aws_rds AWS RDS technique_scores T1485 Data Destruction
                  Comments
                  AWS RDS provides deletion protection which prevents any user from deleting a database instance. If applied, the setting may mitigate attempts to delete a database instance. As a result, this mapping is given a score of Significant.
                  References
                  aws_rds AWS RDS technique_scores T1485 Data Destruction
                  Comments
                  AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has destroyed the database instance. RDS-EVENT-0003: The DB instance has been deleted RDS-EVENT-0041: A DB snapshot has been deleted This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized deletion.
                  References
                  aws_rds AWS RDS technique_scores T1485 Data Destruction
                  Comments
                  AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
                  References
                  aws_s3 AWS S3 technique_scores T1485 Data Destruction
                  Comments
                  AWS S3 may protect against data destruction through application of several best practices. Multi-factor authentication can be enabled for delete operations and for changing the versioning state of a bucket. Versioning can be enabled to revert objects to a previous state after malicious destruction or corruption. S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. In addition, S3 Cross Region Replication can be used to replicate S3 buckets to another AWS region for add protection.
                  References
                  aws_security_hub AWS Security Hub technique_scores T1485 Data Destruction
                  Comments
                  AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the scheduled destruction of Customer Master Keys (CMKs) which are critical for being able to decrypt data. AWS Security Hub provides this detection with the following check. Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs This is scored as Minimal because CMKs only represent one type of data that could be destroyed by an adversary.
                  References

                  ATT&CK Subtechniques

                  Technique ID Technique Name Number of Mappings
                  T1485.001 Lifecycle-Triggered Deletion 17