LoFP / legitimate usage

Techniques

• t1070
• t1070.004
• t1490

Sample rules

Backup Files Deleted

• source: sigma
• technicques:
  • t1490

Description

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Detection logic

condition: selection
selection:
  Image|endswith:
  - \cmd.exe
  - \powershell.exe
  - \pwsh.exe
  - \wt.exe
  - \rundll32.exe
  - \regsvr32.exe
  TargetFilename|endswith:
  - .VHD
  - .bac
  - .bak
  - .wbcat
  - .bkf
  - .set
  - .win
  - .dsk

File Deleted Via Sysinternals SDelete

• source: sigma
• technicques:
  • t1070
  • t1070.004

Description

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

Detection logic

condition: selection and not 1 of filter_*
filter_wireshark:
  TargetFilename|endswith: \Wireshark\radius\dictionary.alcatel-lucent.aaa
selection:
  TargetFilename|endswith:
  - .AAA
  - .ZZZ