Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1485 | Data Destruction | |
| AC-6 | Least Privilege | Protects | T1485 | Data Destruction | |
| CM-2 | Baseline Configuration | Protects | T1485 | Data Destruction | |
| CP-10 | System Recovery and Reconstitution | Protects | T1485 | Data Destruction | |
| CP-2 | Contingency Plan | Protects | T1485 | Data Destruction | |
| CP-7 | Alternate Processing Site | Protects | T1485 | Data Destruction | |
| CP-9 | System Backup | Protects | T1485 | Data Destruction | |
| SI-3 | Malicious Code Protection | Protects | T1485 | Data Destruction | |
| SI-4 | System Monitoring | Protects | T1485 | Data Destruction | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1485 | Data Destruction | |
| CVE-2019-3723 | OpenManage Server Administrator | primary_impact | T1485 | Data Destruction | |
| CVE-2019-3750 | Dell Command Update (DCU) | primary_impact | T1485 | Data Destruction | |
| CVE-2018-5459 | WAGO PFC200 Series | secondary_impact | T1485 | Data Destruction | |
| CVE-2020-1111 | Windows | secondary_impact | T1485 | Data Destruction | |
| CVE-2018-8355 | ChakraCore | secondary_impact | T1485 | Data Destruction | |
| CVE-2020-0671 | Windows | secondary_impact | T1485 | Data Destruction | |
| CVE-2019-1270 | Windows | primary_impact | T1485 | Data Destruction | |
| CVE-2019-1118 | Windows | secondary_impact | T1485 | Data Destruction | |
| CVE-2020-1456 | Microsoft SharePoint Enterprise Server | secondary_impact | T1485 | Data Destruction | |
| CVE-2020-1109 | Windows | secondary_impact | T1485 | Data Destruction | |
| CVE-2020-1163 | Microsoft Forefront Endpoint Protection | primary_impact | T1485 | Data Destruction | |
| CVE-2020-1495 | Microsoft SharePoint Server 2010 Service Pack 2 | secondary_impact | T1485 | Data Destruction | |
| CVE-2018-8248 | Microsoft Office | secondary_impact | T1485 | Data Destruction | |
| CVE-2018-8111 | Microsoft Edge | secondary_impact | T1485 | Data Destruction | |
| CVE-2018-8607 | Microsoft Dynamics 365 | secondary_impact | T1485 | Data Destruction | |
| CVE-2020-1569 | Microsoft Edge (EdgeHTML-based) | secondary_impact | T1485 | Data Destruction | |
| CVE-2020-16874 | Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) | secondary_impact | T1485 | Data Destruction | |
| CVE-2019-0609 | Internet Explorer 11 | secondary_impact | T1485 | Data Destruction | |
| CVE-2018-8353 | n/a | secondary_impact | T1485 | Data Destruction | |
| CVE-2018-8110 | Microsoft Edge | secondary_impact | T1485 | Data Destruction | |
| CVE-2018-8575 | Microsoft Project | secondary_impact | T1485 | Data Destruction | |
| CVE-2019-1031 | Microsoft SharePoint Foundation | secondary_impact | T1485 | Data Destruction | |
| CVE-2020-9819 | iOS | uncategorized | T1485 | Data Destruction | |
| CVE-2018-8337 | Windows 10 | uncategorized | T1485 | Data Destruction | |
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1485 | Data Destruction | |
| aws_rds | AWS RDS | technique_scores | T1485 | Data Destruction |
Comments
AWS RDS provides deletion protection which prevents any user from deleting a database instance. If applied, the setting may mitigate attempts to delete a database instance. As a result, this mapping is given a score of Significant.
References
|
| aws_rds | AWS RDS | technique_scores | T1485 | Data Destruction |
Comments
AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has destroyed the database instance.
RDS-EVENT-0003: The DB instance has been deleted RDS-EVENT-0041: A DB snapshot has been deleted
This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized deletion.
References
|
| aws_rds | AWS RDS | technique_scores | T1485 | Data Destruction |
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
|
| aws_config | AWS Config | technique_scores | T1485 | Data Destruction |
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include data destruction: "s3-bucket-blacklisted-actions-prohibited" checks whether bucket policies prohibit disallowed actions (including S3:DeleteObject) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and "s3-bucket-public-write-prohibited" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of data destruction: "aurora-mysql-backtracking-enabled" for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront.
The following AWS Config managed rules provide specific detections for configuration problems that should be fixed in order to prevent malicious deletion of specific data: "elb-deletion-protection-enabled" for Elastic Block Store (EBS) volumes, and "rds-cluster-deletion-protection-enabled" and "rds-instance-deletion-protection-enabled" for RDS data.
Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against destruction, resulting in an overall score of Partial.
References
|
| aws_s3 | AWS S3 | technique_scores | T1485 | Data Destruction |
Comments
AWS S3 may protect against data destruction through application of several best practices. Multi-factor authentication can be enabled for delete operations and for changing the versioning state of a bucket. Versioning can be enabled to revert objects to a previous state after malicious destruction or corruption. S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. In addition, S3 Cross Region Replication can be used to replicate S3 buckets to another AWS region for add protection.
References
|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1485 | Data Destruction |
Comments
The following GuardDuty finding type flags events where adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Impact:S3/MaliciousIPCaller, Impact:IAMUser/AnomalousBehavior Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux
References
|
| aws_cloudendure_disaster_recovery | AWS CloudEndure Disaster Recovery | technique_scores | T1485 | Data Destruction |
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1485 | Data Destruction |
Comments
AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the scheduled destruction of Customer Master Keys (CMKs) which are critical for being able to decrypt data. AWS Security Hub provides this detection with the following check.
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
This is scored as Minimal because CMKs only represent one type of data that could be destroyed by an adversary.
References
|