Cisco File Deletion

Aug 12, 2024 · attack.defense-evasion attack.impact attack.t1070.004 attack.t1561.001 attack.t1561.002 ·

See what files are being deleted from flash file systems

Sigma rule (View on GitHub)

 1title: Cisco File Deletion
 2id: 71d65515-c436-43c0-841b-236b1f32c21e
 3status: test
 4description: See what files are being deleted from flash file systems
 5author: Austin Clark
 6date: 2019-08-12
 7modified: 2023-01-04
 8tags:
 9    - attack.defense-evasion
10    - attack.impact
11    - attack.t1070.004
12    - attack.t1561.001
13    - attack.t1561.002
14logsource:
15    product: cisco
16    service: aaa
17detection:
18    keywords:
19        - 'erase'
20        - 'delete'
21        - 'format'
22    condition: keywords
23fields:
24    - CmdSet
25falsepositives:
26    - Will be used sometimes by admins to clean up local flash space
27level: medium

Related rules

Secure Deletion with SDelete
ADS Zone.Identifier Deleted By Uncommon Application
Audit CVE Event
Azure Application Deleted
Azure Firewall Modified or Deleted