File Deletion
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
Sigma rule (View on GitHub)
1title: File Deletion
2id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
3status: stable
4description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
7author: Ömer Günal, oscd.community
8date: 2020-10-07
9modified: 2022-09-15
10tags:
11 - attack.defense-evasion
12 - attack.t1070.004
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith:
19 - '/rm' # covers /rmdir as well
20 - '/shred'
21 - '/unlink'
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: informational
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- ADS Zone.Identifier Deleted By Uncommon Application
- Backup Catalog Deleted
- Cisco File Deletion
- Directory Removal Via Rmdir
- File Deleted Via Sysinternals SDelete