数据销毁

攻击者可能破坏特定系统上或网络上的大量数据和文件，从而中断系统，服务和网络资源的可用性。数据销毁可能会通过覆盖本地或远程驱动器上的文件或数据而通过法医技术使存储的数据无法恢复常见的操作系统文件删除命令，例如del并且rm通常仅删除指向文件的指针而不会擦除文件本身的内容，从而通过适当的取证方法可恢复文件。此行为不同于“ 磁盘内容擦除”和“ 磁盘结构擦除” 因为销毁了单个文件，而不是销毁了存储磁盘的部分或磁盘的逻辑结构。

攻击者可能会尝试使用随机生成的数据覆盖文件和目录，以使其无法恢复。在某些情况下，用于政治目的的图像文件已被用来覆盖数据。

为了在以网络范围内的可用性中断为目标的运营中最大程度地影响目标组织，旨在破坏数据的恶意软件可能具有蠕虫般的功能，可以利用有效帐户，凭据转储和Windows Admin Shares等其他技术在网络中传播。

Data Destruction

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable. In some cases politically oriented image files have been used to overwrite data

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, Credential Dumping, and Windows Admin Shares.

标签

策略： 影响( Impact )
平台： Linux，macOS，Windows
所需权限： user，administrator，root，SYSTEM
数据源： 文件监视，进程命令行参数，进程监视
影响类型： 可用性( Availability )

缓解措施

减轻	描述
数据备份	考虑实施IT灾难恢复计划，其中包含用于进行可用于还原组织数据的常规数据备份的过程。确保备份存储在系统之外，并且免受攻击者可能用来获取访问权限并破坏备份以防止恢复的常见方法的攻击。

Data Backup	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

检测

使用过程监视来监视可能与数据销毁活动有关的二进制文件的执行和命令行参数，例如SDelete(S0195)。监视可疑文件的创建以及异常文件的高修改活动。特别是，请在用户目录和下查找大量文件修改C:\Windows\System32\。

Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as SDelete. Monitor for the creation of suspicious files as well as high unusual file modification activity. In particular, look for large quantities of file modifications in user directories and under C:\Windows\System32\.

- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn