network operator may use this batch command to delete recursively a directory or files within directory

t1070
t1070.004
endpoint
splunk

Techniques

T1070
T1070.004

Sample rules

Recursive Delete of Directory In Batch CMD

source: splunk
technicques:
- T1070.004
- T1070

Description

This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c*  Processes.process="* rd *"  Processes.process="*/s*" Processes.process="*/q*" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest 
|`drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `recursive_delete_of_directory_in_batch_cmd_filter`