Greedy File Deletion Using Del
Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
Sigma rule (View on GitHub)
1title: Greedy File Deletion Using Del
2id: 204b17ae-4007-471b-917b-b917b315c5db
3status: test
4description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
5references:
6 - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
7 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
8author: frack113 , X__Junior (Nextron Systems)
9date: 2021-12-02
10modified: 2023-09-11
11tags:
12 - attack.defense-evasion
13 - attack.t1070.004
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 # Example:
19 # del C:\ProgramData\*.dll & exit
20 selection_img:
21 - Image|endswith: '\cmd.exe'
22 - OriginalFileName: 'Cmd.Exe'
23 selection_del:
24 CommandLine|contains:
25 - 'del '
26 - 'erase '
27 selection_extensions:
28 CommandLine|contains:
29 - '\\\*.au3'
30 - '\\\*.dll'
31 - '\\\*.exe'
32 - '\\\*.js'
33 condition: all of selection_*
34falsepositives:
35 - Unknown
36level: medium
References
Related rules
- ADS Zone.Identifier Deleted By Uncommon Application
- Backup Catalog Deleted
- Cisco File Deletion
- Directory Removal Via Rmdir
- File Deleted Via Sysinternals SDelete