Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowtest

Use Of Remove-Item to Delete File - ScriptBlock

PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sat Jan 15Updated Thu Mar 17b8af5f36-1361-4ebe-9e76-e36128d947bfwindows
Hunting Hypothesis
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection:
        ScriptBlockText|contains:
            - 'Remove-Item -Path '
            - 'del -Path '
            - 'erase -Path '
            - 'rd -Path '
            - 'ri -Path '
            - 'rm -Path '
            - 'rmdir -Path '
    condition: selection
False Positives

Legitimate PowerShell scripts

References
1
Resolving title…
github.com
2
Resolving title…
docs.microsoft.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
b8af5f36-1361-4ebe-9e76-e36128d947bf
Status
test
Level
low
Type
Threat Hunt
Created
Sat Jan 15
Modified
Thu Mar 17
Author
François Hubaut
Path
rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
Raw Tags
attack.defense-evasionattack.t1070.004detection.threat-hunting
View on GitHub