Skip to main content
Splunk Lantern

High file deletion frequency

This search looks for high frequency of file deletion relative to process name and process ID. These events usually happen when the ransomware tries to encrypt the files with the ransomware file extensions and Sysmon treats the original files to be deleted, as soon they are replaced, as encrypted data.

Data required 

System log data

Procedure

  1. Ensure your deployment is ingesting logs with the deleted target file name, process name, and process ID from your endpoints.
  2. If you are using Sysmon, ensure you have at least version 6.0.4.
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| search (EventCode=23 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (TargetFilename="*\.7z" OR TargetFilename="*\.bmp" OR TargetFilename="*\.chm" OR TargetFilename="*\.cmd" OR TargetFilename="*\.db" OR TargetFilename="*\.doc*" OR TargetFilename="*\.gif" OR TargetFilename="*\.ini" OR TargetFilename="*\.jpeg" OR TargetFilename="*\.jpg" OR TargetFilename="*\.js" OR TargetFilename="*\.log" OR TargetFilename="*\.png" OR TargetFilename="*\.ppt*" OR TargetFilename="*\.ps1" OR TargetFilename="*\.rar" OR TargetFilename="*\.vbs" OR TargetFilename="*\.xls*" OR TargetFilename="*\.zip")) 
| stats values(TargetFilename) AS deleted_files min(_time) AS firstTime max(_time) AS lastTime count BY Computer user EventCode Image ProcessID 
| where (count >= 100) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| search (EventCode=23 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) Search Sysmon Operational logs for event code 23, file deletion events.
(TargetFilename="*\.7z" OR TargetFilename="*\.bmp" OR TargetFilename="*\.chm" OR TargetFilename="*\.cmd" OR TargetFilename="*\.db" OR TargetFilename="*\.doc*" OR TargetFilename="*\.gif" OR TargetFilename="*\.ini" OR TargetFilename="*\.jpeg" OR TargetFilename="*\.jpg" OR TargetFilename="*\.js" OR TargetFilename="*\.log" OR TargetFilename="*\.png" OR TargetFilename="*\.ppt*" OR TargetFilename="*\.ps1" OR TargetFilename="*\.rar" OR TargetFilename="*\.vbs" OR TargetFilename="*\.xls*" OR TargetFilename="*\.zip")) Search for the file extensions listed, which are commonly targeted by ransomware infections.
| stats values(TargetFilename) AS deleted_files min(_time) AS firstTime max(_time) AS lastTime count BY Computer user EventCode Image ProcessID  Return the values for the fields shown, sorting first by Computer user and then by the rest of the fields shown.
| where (count >= 100)  Return instances where at least 100 files are deleted at once.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Convert these times into readable strings.

Next steps

False positives from this search may occur as legitimate users may delete a lot of pictures or files in a folder at once. You will need to create a baseline appropriate to your environment to ascertain what needs further investigation, and then perform further searches to establish whether the behaviour is legitimate or anomalous.

If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack or Detecting Clop ransomware use cases.