Detectionlowtest

File Deletion Via Del

Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sat Jan 15Updated Tue Mar 05379fa130-190e-4c3f-b7bc-6c8e834485f3windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_del:
        CommandLine|contains:
            - 'del '
            - 'erase '
    selection_flags:
        CommandLine|contains|windash:
            - ' -f' # Force deleting of read-only files.
            - ' -s' # Delete specified files from all subdirectories.
            - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard
    condition: all of selection_*

False Positives

False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1070.004 · File Deletion

Rule Metadata

Rule ID