DET0146: Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns
This detection strategy is about recognizing destructive activity before or during business disruption: large-scale overwrite and deletion patterns associa...
Analyst context for executives and security teams
This detection strategy is about recognizing destructive activity before or during business disruption: large-scale overwrite and deletion patterns associated with ATT&CK technique T1485 Data Destruction. For executives, the value is not simply “detect file deletion,” but proving the organization can see destructive behavior across critical environments quickly enough to support containment, recovery decisions, and evidence for post-incident review.
Executive priority
Prioritize this as an operational resilience and incident readiness control. Data destruction maps to the impact tactic and can affect availability of systems, services, and network resources. Leaders should ask whether SOC, IR, backup, cloud, Linux, container, and ESXi owners can produce timely evidence of mass overwrite or deletion activity, and whether recovery plans account for environments where forensic recovery may be limited after overwrites.
Technical view
MITRE provides no official detection text for DET0146, but the relationship states it detects T1485 Data Destruction. Detection engineering should therefore validate monitoring for abnormal high-volume file deletion, overwrite, or destructive write behavior in environments relevant to T1485: Containers, ESXi, IaaS, and Linux. SOC playbooks should distinguish expected administrative cleanup or lifecycle jobs from sudden destructive patterns affecting many files, systems, or network resources.
Likely telemetry
- File deletion and file modification/write events where available
- Operating system audit logs from Linux systems
- Cloud/IaaS activity logs relevant to storage, compute instances, and destructive administrative actions
- Container runtime or orchestration logs where file or volume activity is observable
- ESXi or virtualization platform logs related to datastore, VM, or file operations
Detection direction
- Validate whether telemetry can show both deletion and overwrite patterns, not just process starts or alerts.
- Baseline legitimate high-volume cleanup, log rotation, deployment, backup, and lifecycle-management activity to reduce false positives.
- Correlate mass file operations with account context, host or workload scope, timing, and affected storage locations.
- Confirm coverage for the related T1485 platforms supplied by ATT&CK: Containers, ESXi, IaaS, and Linux; do not assume the detection strategy itself defines platforms because the object lists platforms as not specified.
- Tune escalation for patterns affecting many systems, critical services, shared storage, or recovery assets.
Mitigation priorities
- Prioritize resilient, tested backups and snapshots with appropriate protection from deletion or overwrite.
- Restrict and monitor privileged access capable of destructive file, storage, virtualization, or cloud operations.
- Ensure IR procedures include rapid isolation, preservation of available logs, and recovery decision points for destructive activity.
- Review administrative automation and cleanup jobs so expected destructive actions are documented and distinguishable from suspicious mass destruction.
- Use detection validation exercises to prove telemetry, alerting, and recovery evidence are available before an incident.
Analyst notes and limits
DET0146 is a detection strategy object with no official description or detection guidance supplied in the provided fields. The strongest supported context is its relationship to T1485 Data Destruction, an impact technique involving destruction of data and files to interrupt availability. Recommendations are therefore framed as validation directions rather than guaranteed detections.
The object does not specify platforms, tactics, aliases, labels, official description, or official detection text. Platform and tactic context comes only from the supplied relationship to T1485. Local architecture, logging configuration, retention, and backup design are required to determine actual coverage.
Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1485 | Data Destruction | This object detects Data Destruction. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 85012060fde0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0146Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.