File Deletion Via Del

Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Sigma rule (View on GitHub)

 1title: File Deletion Via Del
 2id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
 3status: test
 4description: |
 5    Detects execution of the builtin "del"/"erase" commands in order to delete files.
 6    Adversaries may delete files left behind by the actions of their intrusion activity.
 7    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
 8    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.    
 9references:
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
12author: frack113
13date: 2022/01/15
14modified: 2024/02/17
15tags:
16    - attack.defense_evasion
17    - attack.t1070.004
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\cmd.exe'
24        - OriginalFileName: 'Cmd.Exe'
25    selection_del:
26        CommandLine|contains:
27            - 'del '
28            - 'erase '
29    selection_flags:
30        CommandLine|contains:
31            - ' /f' # Force deleting of read-only files.
32            - ' -f'
33            - ' /s' # Delete specified files from all subdirectories.
34            - ' -s'
35            - ' /q' # Quiet mode, do not ask if ok to delete on global wildcard
36            - ' -q'
37    condition: all of selection_*
38falsepositives:
39    - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity
40level: low

References

Related rules

to-top