File Deletion Via Del

 1title: File Deletion Via Del
 2id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
 3status: test
 4description: |
 5    Detects execution of the builtin "del"/"erase" commands in order to delete files.
 6    Adversaries may delete files left behind by the actions of their intrusion activity.
 7    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
 8    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.    
 9references:
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
12author: frack113
13date: 2022-01-15
14modified: 2024-03-05
15tags:
16    - attack.defense-evasion
17    - attack.t1070.004
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\cmd.exe'
24        - OriginalFileName: 'Cmd.Exe'
25    selection_del:
26        CommandLine|contains:
27            - 'del '
28            - 'erase '
29    selection_flags:
30        CommandLine|contains|windash:
31            - ' -f' # Force deleting of read-only files.
32            - ' -s' # Delete specified files from all subdirectories.
33            - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard
34    condition: all of selection_*
35falsepositives:
36    - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity
37level: low