Directory Removal Via Rmdir

calendar Jan 1, 2024 · attack.defense_evasion attack.t1070.004  ·
Share on: linkedin copy

Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Sigma rule (View on GitHub)

 1title: Directory Removal Via Rmdir
 2id: 41ca393d-538c-408a-ac27-cf1e038be80c
 3status: test
 4description: |
 5    Detects execution of the builtin "rmdir" command in order to delete directories.
 6    Adversaries may delete files left behind by the actions of their intrusion activity.
 7    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
 8    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.    
 9references:
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
12author: frack113
13date: 2022/01/15
14modified: 2023/03/07
15tags:
16    - attack.defense_evasion
17    - attack.t1070.004
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\cmd.exe'
24        - OriginalFileName: 'Cmd.Exe'
25    selection_rmdir:
26        CommandLine|contains: 'rmdir'
27    selection_flags:
28        CommandLine|contains:
29            - '/s'
30            - '/q'
31    condition: all of selection_*
32falsepositives:
33    - Unknown
34level: low

References

Related rules

to-top