This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Third-party Backup Files Deleted via Unexpected Process
editThird-party Backup Files Deleted via Unexpected Process
editIdentifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a Ransomware attack is less likely.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Impact
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editfile where event.type == "deletion" and
(
/* Veeam Related Backup Files */
(file.extension : ("VBK", "VIB", "VBM") and
not process.executable : ("?:\\Windows\\Veeam\\Backup\\*",
"?:\\Program Files\\Veeam\\Backup and Replication\\*",
"?:\\Program Files (x86)\\Veeam\\Backup and Replication\\*")) or
/* Veritas Backup Exec Related Backup File */
(file.extension : "BKF" and
not process.executable : ("?:\\Program Files\\Veritas\\Backup Exec\\*",
"?:\\Program Files (x86)\\Veritas\\Backup Exec\\*"))
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
-
Technique:
- Name: Inhibit System Recovery
- ID: T1490
- Reference URL: https://attack.mitre.org/techniques/T1490/