Greedy File Deletion Using Del

calendar Oct 4, 2023 · attack.defense_evasion attack.t1070.004  ·
Share on: linkedin copy

Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.

Sigma rule (View on GitHub)

 1title: Greedy File Deletion Using Del
 2id: 204b17ae-4007-471b-917b-b917b315c5db
 3status: experimental
 4description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
 5references:
 6    - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
 7    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
 8author: frack113 , X__Junior (Nextron Systems)
 9date: 2021/12/02
10modified: 2023/09/11
11tags:
12    - attack.defense_evasion
13    - attack.t1070.004
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    # Example:
19    #   del C:\ProgramData\*.dll & exit
20    selection_img:
21        - Image|endswith: '\cmd.exe'
22        - OriginalFileName: 'Cmd.Exe'
23    selection_del:
24        CommandLine|contains:
25            - 'del '
26            - 'erase '
27    selection_extensions:
28        CommandLine|contains:
29            - '\\\*.au3'
30            - '\\\*.dll'
31            - '\\\*.exe'
32            - '\\\*.js'
33    condition: all of selection_*
34falsepositives:
35    - Unknown
36level: medium

References

Related rules

to-top