Techniques
Sample rules
File Deletion Via Del
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects execution of the builtin “del”/“erase” commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.
Detection logic
condition: all of selection_*
selection_del:
CommandLine|contains:
- 'del '
- 'erase '
selection_flags:
CommandLine|contains|windash:
- ' -f'
- ' -s'
- ' -q'
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe