Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\Windows\System32).
Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.
Monitor for unexpected deletion of files.
Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | File | None |
| Process Creation (DC0032) | Process | None |
| File Deletion (DC0040) | File | None |
| Command Execution (DC0064) | Command | None |