Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Directory Removal Via Rmdir

Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sat Jan 15Updated Tue Mar 0741ca393d-538c-408a-ac27-cf1e038be80cwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_rmdir:
        CommandLine|contains: 'rmdir'
    selection_flags:
        CommandLine|contains:
            - '/s'
            - '/q'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
Testing & Validation

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
41ca393d-538c-408a-ac27-cf1e038be80c
Status
test
Level
low
Type
Detection
Created
Sat Jan 15
Modified
Tue Mar 07
Author
François Hubaut
Path
rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml
Raw Tags
attack.defense-evasionattack.t1070.004
View on GitHub