DET0758: Detection of Data Destruction
This detection strategy matters because it is tied to ICS Data Destruction, a behavior that can remove files, tools, malware artifacts, or other data durin...
Analyst context for executives and security teams
This detection strategy matters because it is tied to ICS Data Destruction, a behavior that can remove files, tools, malware artifacts, or other data during an intrusion. For security leaders, the business issue is not only loss of data but loss of forensic visibility: if destruction occurs, incident responders may have less evidence to determine scope, recovery needs, and operational risk.
Executive priority
Treat this as an operational resilience and incident-readiness concern for ICS environments. Leaders should ask whether critical systems, engineering workstations, servers, and supporting repositories have recoverable backups, retained logs, and evidence collection sufficient to investigate destructive cleanup or data removal. Because the ATT&CK detection strategy has no official detection text or platform scope, priority should be on validating local coverage rather than assuming a generic control already addresses it.
Technical view
SOC and IR teams should map DET0758 to technique T0809 Data Destruction and validate whether they can observe suspicious file removal, unexpected creation and deletion of non-native files, disappearance of tooling or malware artifacts, and gaps in host or log evidence during an intrusion. Since platforms and tactics are not specified in the supplied ATT&CK object, detection engineering should be environment-driven: identify where ICS-relevant hosts store operational files, logs, project/configuration data, and security evidence, then confirm monitoring and retention around deletion or tampering events.
Likely telemetry
- Host file creation, deletion, modification, and rename events where available
- Security, system, and application logs showing unusual cleanup activity or log gaps
- Endpoint or server records of non-native files, tools, scripts, or malware artifacts appearing and then being removed
- Backup, snapshot, and repository metadata showing deletion, overwrite, or unexpected change patterns
- ICS-adjacent asset inventory and change records to correlate destructive activity with affected systems
Detection direction
- Validate that telemetry exists before writing analytics; the official detection strategy does not specify platforms or detection logic.
- Tune for context: legitimate maintenance, software deployment, patching, and backup rotation can resemble bulk deletion or cleanup activity.
- Correlate deletion or cleanup events with prior suspicious file creation, execution, or presence of non-native tools where such evidence is available.
- Look for investigative blind spots caused by missing endpoint visibility, short log retention, or systems where file auditing is not enabled.
- Use the relationship to T0809 to frame detections around data destruction and artifact removal, not around a specific malware family or actor.
Mitigation priorities
- Prioritize reliable backups, restore testing, and retention for systems and data needed to maintain or recover ICS operations.
- Preserve evidence sources through centralized logging and retention so destruction on one host does not eliminate the investigation trail.
- Restrict unnecessary write/delete privileges on sensitive operational data and repositories using least-privilege access controls.
- Document IR procedures for suspected destructive activity, including evidence preservation and recovery decision points.
- Review detection coverage with ICS asset owners because the ATT&CK object does not define a universal platform scope.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy, DET0758, and its only substantive context is the relationship indicating it detects T0809 Data Destruction in the ICS domain. The related technique description supports focus on removal of malware, tools, non-native files, and other data during an operation.
MITRE provides no official description, detection text, tactics, platforms, or aliases for this object in the supplied fields. Recommendations therefore remain general and must be validated against local ICS architecture, logging capability, retention, backup design, and operational change processes.
Detection of Data Destruction
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0809 | Data Destruction | This object detects Data Destruction. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 621d5b06161b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0758Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.