1. Home
  2. ATT&CK Techniques
  3. T1485 Data Destruction

T1485 Data Destruction Mappings

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).

In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1485 Data Destruction
attribute.availability.variety.Destruction Destruction related-to T1485 Data Destruction
attribute.availability.variety.Interruption Interruption related-to T1485 Data Destruction
amazon_guardduty Amazon GuardDuty technique_scores T1485 Data Destruction
Comments
The following GuardDuty finding type flags events where adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Impact:S3/MaliciousIPCaller, Impact:IAMUser/AnomalousBehavior Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1485 Data Destruction
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
References
  1. https://aws.amazon.com/cloudendure-disaster-recovery/
  2. https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm
aws_config AWS Config technique_scores T1485 Data Destruction
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include data destruction: "s3-bucket-blacklisted-actions-prohibited" checks whether bucket policies prohibit disallowed actions (including S3:DeleteObject) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and "s3-bucket-public-write-prohibited" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of data destruction: "aurora-mysql-backtracking-enabled" for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront. The following AWS Config managed rules provide specific detections for configuration problems that should be fixed in order to prevent malicious deletion of specific data: "elb-deletion-protection-enabled" for Elastic Block Store (EBS) volumes, and "rds-cluster-deletion-protection-enabled" and "rds-instance-deletion-protection-enabled" for RDS data. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against destruction, resulting in an overall score of Partial.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
aws_rds AWS RDS technique_scores T1485 Data Destruction
Comments
AWS RDS provides deletion protection which prevents any user from deleting a database instance. If applied, the setting may mitigate attempts to delete a database instance. As a result, this mapping is given a score of Significant.
References
  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
aws_rds AWS RDS technique_scores T1485 Data Destruction
Comments
AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has destroyed the database instance. RDS-EVENT-0003: The DB instance has been deleted RDS-EVENT-0041: A DB snapshot has been deleted This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized deletion.
References
  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
aws_rds AWS RDS technique_scores T1485 Data Destruction
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
aws_s3 AWS S3 technique_scores T1485 Data Destruction
Comments
AWS S3 may protect against data destruction through application of several best practices. Multi-factor authentication can be enabled for delete operations and for changing the versioning state of a bucket. Versioning can be enabled to revert objects to a previous state after malicious destruction or corruption. S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. In addition, S3 Cross Region Replication can be used to replicate S3 buckets to another AWS region for add protection.
References
  1. https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html
aws_security_hub AWS Security Hub technique_scores T1485 Data Destruction
Comments
AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the scheduled destruction of Customer Master Keys (CMKs) which are critical for being able to decrypt data. AWS Security Hub provides this detection with the following check. Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs This is scored as Minimal because CMKs only represent one type of data that could be destroyed by an adversary.
References
  1. https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1485.001 Lifecycle-Triggered Deletion 3