Cisco File Deletion

See what files are being deleted from flash file systems

Sigma rule (View on GitHub)

 1title: Cisco File Deletion
 2id: 71d65515-c436-43c0-841b-236b1f32c21e
 3status: test
 4description: See what files are being deleted from flash file systems
 5author: Austin Clark
 6date: 2019/08/12
 7modified: 2023/01/04
 8tags:
 9    - attack.defense_evasion
10    - attack.impact
11    - attack.t1070.004
12    - attack.t1561.001
13    - attack.t1561.002
14logsource:
15    product: cisco
16    service: aaa
17detection:
18    keywords:
19        - 'erase'
20        - 'delete'
21        - 'format'
22    condition: keywords
23fields:
24    - CmdSet
25falsepositives:
26    - Will be used sometimes by admins to clean up local flash space
27level: medium

Related rules

to-top