Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Impact/ T1485

T1485Data Destruction

T1485 — Data Destruction is a MITRE ATT&CK technique in the Impact tactic. Clankerusecase tracks 60 detection use cases covering it and 13 threat-intel articles citing it.

Impact
View on the matrix → Filter Detection Library MITRE official spec ↗
60Use cases
13Articles
1Sub-techniques
1Tactic

Sub-techniques (1)

T1485.001 · Lifecycle-Triggered Deletion

Use cases covering this technique (60)

AWS ECS cluster deleted Internal actions · alerting DDCW AWS KMS key deleted or scheduled for deletion Internal actions · alerting DDCW AWS RDS DB cluster deleted Internal actions · alerting DDCW Azure storage soft-delete disabled Internal actions · alerting DD GitHub mass repository deletion Internal actions · alerting DD MongoDB database dropped Internal actions · alerting DD PostgreSQL database dropped Internal actions · alerting DD AWS Bedrock Delete Knowledge Base ESCU actions · alerting P GitHub Enterprise Remove Organization ESCU actions · hunting P GitHub Enterprise Repository Archived ESCU actions · hunting P GitHub Enterprise Repository Deleted ESCU actions · hunting P GitHub Organizations Repository Archived ESCU actions · hunting P GitHub Organizations Repository Deleted ESCU actions · hunting P O365 Email Hard Delete Excessive Volume ESCU actions · hunting P O365 Email Password and Payroll Compromise Behavior ESCU actions · alerting P O365 Email Receive and Hard Delete Takeover Behavior ESCU actions · hunting P O365 Email Send and Hard Delete Exfiltration Behavior ESCU actions · hunting P O365 Email Send and Hard Delete Suspicious Behavior ESCU actions · hunting P O365 Email Send Attachments Excessive Volume ESCU actions · hunting P Common Ransomware Extensions ESCU actions · alerting P Common Ransomware Notes ESCU actions · hunting P Excessive File Deletion In WinDefender Folder ESCU actions · alerting P Linux Account Manipulation Of SSH Config and Keys ESCU actions · hunting P Linux Auditd Data Destruction Command ESCU actions · alerting P Linux Auditd Dd File Overwrite ESCU actions · alerting P Linux Auditd Shred Overwrite Command ESCU actions · alerting P Linux Data Destruction Command ESCU actions · alerting P Linux DD File Overwrite ESCU actions · alerting P Linux Deleting Critical Directory Using RM Command ESCU actions · alerting P Linux Deletion Of Cron Jobs ESCU actions · hunting P Linux Deletion Of Init Daemon Script ESCU actions · alerting P Linux Deletion Of Services ESCU actions · alerting P Linux Deletion of SSL Certificate ESCU actions · hunting P Linux High Frequency Of File Deletion In Boot Folder ESCU actions · alerting P Linux High Frequency Of File Deletion In Etc Folder ESCU actions · hunting P Linux Shred Overwrite Command ESCU actions · alerting P Sdelete Application Execution ESCU actions · alerting P Windows Data Destruction Recursive Exec Files Deletion ESCU actions · alerting P Windows Disable Memory Crash Dump ESCU actions · alerting P Windows File Without Extension In Critical Folder ESCU actions · alerting P Windows High File Deletion Frequency ESCU actions · hunting P Detect DNS Query to Decommissioned S3 Bucket ESCU actions · hunting P Detect Web Access to Decommissioned S3 Bucket ESCU actions · hunting P [LLM] Anti-forensic deletion/tampering of macOS Tahoe 26 App.MenuItem Biome stream Bespoke actions · alerting DSΣPDDCS [LLM] ShinyHunters ransom marker file — README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in PeopleSoft directories Bespoke actions · alerting DSΣPDDCS [LLM] gh-token-monitor service install or rm -rf wiper command (Hades self-destruct) Bespoke actions · alerting DSΣPDDCS [LLM] Destructive 'rm -rf ~' or Miasma honeytoken tripwire from node/bun process tree Bespoke actions · alerting DSΣPDDCS [LLM] Locale-conditional rm -rf wiper command from python/node runtime Bespoke actions · alerting DSΣPDDCS [LLM] AI coding agent bulk-deleting JUnit test files after jqwik resolution Bespoke actions · alerting DSPDDCS [LLM] Arcane GitOps: DELETE /api/customize/git-repositories/{id} by non-admin principal (CVE-2026-45625 DoS / post-exfiltration cleanup) Bespoke actions · alerting SΣPDD [LLM] Malicious privileged DaemonSet apply in kube-system (host-provisioner-iran / host-provisioner-std / kamikaze) Bespoke install · alerting DSΣPDDCS [LLM] Host-root mount wiper: chroot /mnt/host reboot -f or rm -rf / --no-preserve-root Bespoke actions · alerting DSΣPDDCS [LLM] Compromised kubernetes.el destructive payload — Emacs spawning `rm -rf / --no-preserve-root` Bespoke actions · alerting DSΣPDD [LLM] DynoWiper / ZOV wiper known-bad SHA-1 hash execution Bespoke install · alerting DSΣPDDCS [LLM] DynoWiper schtask.exe / *_update.exe execution from C:\inetpub\pub\ Bespoke install · alerting DSΣPDDCS [LLM] Mass file-content overwrite by single non-system process from non-standard path Bespoke actions · hunting DSPDDCS [LLM] DynoWiper deployment from shared inetpub\pub directory (Sandworm, Poland Dec 2025) Bespoke install · alerting DSΣP [LLM] DynoWiper PDB-string + vagrant build artefact in loaded modules Bespoke install · hunting DSΣP [LLM] SHA1-Hulud wiper: mass deletion of user home directory by npm/node descendant Bespoke actions · alerting DSPDDCS [LLM] s1ngularity nx: node modifies ~/.bashrc or ~/.zshrc to inject `sudo shutdown -h 0` Bespoke install · alerting DSΣPDD

Articles citing this technique (13)

crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139
high Why EDR and proxy won’t save you from supply chain malware art-142
high Protestware by open source maintainer to hinder agentic coding: The jqwik 1.10.0 Prompt Injection art-151
crit [GHSA / CRITICAL] CVE-2026-45625: Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltra art-274
high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444
high kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package art-475
crit DynoWiper update: Technical analysis and attribution art-590
high ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 art-603
high SHA1-Hulud, npm supply chain incident art-686
crit s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware art-778