File Deletion
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
Sigma rule (View on GitHub)
1title: File Deletion
2id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
3status: stable
4description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
7author: Ömer Günal, oscd.community
8date: 2020/10/07
9modified: 2022/09/15
10tags:
11 - attack.defense_evasion
12 - attack.t1070.004
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith:
19 - '/rm' # covers /rmdir as well
20 - '/shred'
21 - '/unlink'
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: informational
References
Related rules
- Auditing Configuration Changes on Linux Host
- Clear Linux Logs
- Connection Proxy
- File or Folder Permissions Change
- Install Root Certificate