Detectionmediumtest
Greedy File Deletion Using Del
Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, X__Junior (Nextron Systems)Created Thu Dec 02Updated Mon Sep 11204b17ae-4007-471b-917b-b917b315c5dbwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
# Example:
# del C:\ProgramData\*.dll & exit
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_del:
CommandLine|contains:
- 'del '
- 'erase '
selection_extensions:
CommandLine|contains:
- '\\\*.au3'
- '\\\*.dll'
- '\\\*.exe'
- '\\\*.js'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
204b17ae-4007-471b-917b-b917b315c5db
Status
test
Level
medium
Type
Detection
Created
Thu Dec 02
Modified
Mon Sep 11
Path
rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml
Raw Tags
attack.defense-evasionattack.t1070.004