File Deletion via Shred

 1[metadata]
 2creation_date = "2020/04/27"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/24"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within
13a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or
14remove them at the end as part of the post-intrusion cleanup process.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "File Deletion via Shred"
21risk_score = 21
22rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29event.category:process and host.os.type:linux and event.type:start and process.name:shred and
30process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.name:logrotate
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1070"
38name = "Indicator Removal"
39reference = "https://attack.mitre.org/techniques/T1070/"
40[[rule.threat.technique.subtechnique]]
41id = "T1070.004"
42name = "File Deletion"
43reference = "https://attack.mitre.org/techniques/T1070/004/"
44
45
46
47[rule.threat.tactic]
48id = "TA0005"
49name = "Defense Evasion"
50reference = "https://attack.mitre.org/tactics/TA0005/"