rules/windows/process_creation/proc_creation_win_cmd_delete.yml

title: Windows Cmd Delete File
id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
status: experimental
description: |
    Adversaries may delete files left behind by the actions of their intrusion activity.
    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
author: frack113
date: 2022/01/15
modifier: 2022/08/20
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
            - ' del '
            - /f
        - CommandLine|contains|all:
            - rmdir
            - /s
            - /q
    condition: selection
falsepositives:
    - Legitimate script
level: low
tags:
    - attack.defense_evasion
    - attack.t1070.004
chore: test rules: warn on errors or invalid FP reasons 2022-05-09 14:43:49 +02:00			`title: Windows Cmd Delete File`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`id: 379fa130-190e-4c3f-b7bc-6c8e834485f3`
			`status: experimental`
			`description: \|`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`Adversaries may delete files left behind by the actions of their intrusion activity.`
			`Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.`
			`Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`author: frack113`
			`date: 2022/01/15`
$frack113$ update 20220820 2022-08-20 11:56:18 +02:00			`modifier: 2022/08/20`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`references:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
$frack113$ Fix CommandLine 2022-01-16 11:15:50 +01:00			`- CommandLine\|contains\|all:`
$frack113$ update 20220820 2022-08-20 11:56:18 +02:00			`- ' del '`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`- /f`
chore: test rules: warn on errors or invalid FP reasons 2022-05-09 14:43:49 +02:00			`- CommandLine\|contains\|all:`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`- rmdir`
			`- /s`
chore: test rules: warn on errors or invalid FP reasons 2022-05-09 14:43:49 +02:00			`- /q`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`condition: selection`
			`falsepositives:`
chore: test rules: warn on errors or invalid FP reasons 2022-05-09 14:43:49 +02:00			`- Legitimate script`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`level: low`
			`tags:`
			`- attack.defense_evasion`
$frack113$ Fix CommandLine 2022-01-16 11:15:50 +01:00			`- attack.t1070.004`