rules/windows/process_creation/proc_creation_win_cmd_delete.yml

title: Windows Cmd Delete File 
id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
status: experimental
description: |
  Adversaries may delete files left behind by the actions of their intrusion activity.
  Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
  Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. 
author: frack113
date: 2022/01/15
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
            - 'del '
            - /f
        - CommandLine|contains|all:    
            - rmdir
            - /s
            - /q 
    condition: selection
falsepositives:
    - Legitim script
level: low
tags:
    - attack.defense_evasion
    - attack.t1070.004
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`title: Windows Cmd Delete File`
			`id: 379fa130-190e-4c3f-b7bc-6c8e834485f3`
			`status: experimental`
			`description: \|`
			`Adversaries may delete files left behind by the actions of their intrusion activity.`
			`Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.`
			`Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.`
			`author: frack113`
			`date: 2022/01/15`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
$frack113$ Fix CommandLine 2022-01-16 11:15:50 +01:00			`- CommandLine\|contains\|all:`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`- 'del '`
			`- /f`
$frack113$ Fix CommandLine 2022-01-16 11:15:50 +01:00			`- CommandLine\|contains\|all:`
$frack113$ Windows Redcannary 2022-01-15 17:04:03 +01:00			`- rmdir`
			`- /s`
			`- /q`
			`condition: selection`
			`falsepositives:`
			`- Legitim script`
			`level: low`
			`tags:`
			`- attack.defense_evasion`
$frack113$ Fix CommandLine 2022-01-16 11:15:50 +01:00			`- attack.t1070.004`