Cisco File Deletion
See what files are being deleted from flash file systems
Sigma rule (View on GitHub)
1title: Cisco File Deletion
2id: 71d65515-c436-43c0-841b-236b1f32c21e
3status: test
4description: See what files are being deleted from flash file systems
5author: Austin Clark
6date: 2019-08-12
7modified: 2023-01-04
8tags:
9 - attack.defense-evasion
10 - attack.impact
11 - attack.t1070.004
12 - attack.t1561.001
13 - attack.t1561.002
14logsource:
15 product: cisco
16 service: aaa
17detection:
18 keywords:
19 - 'erase'
20 - 'delete'
21 - 'format'
22 condition: keywords
23fields:
24 - CmdSet
25falsepositives:
26 - Will be used sometimes by admins to clean up local flash space
27level: medium
Related rules
- ADS Zone.Identifier Deleted By Uncommon Application
- Audit CVE Event
- Azure Application Deleted
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted