From 39928d2cdf1304e76935ca7248ac7fd7c8997e26 Mon Sep 17 00:00:00 2001
From: Gude5 <76428540+Gude5@users.noreply.github.com>
Date: Mon, 27 Feb 2023 15:19:28 +0100
Subject: [PATCH] feat: update del related detection (#4046)

---
 .../process_creation/proc_creation_win_cmd_delete.yml        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml
index 05c272296..46aab7be0 100644
--- a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml
+++ b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
 author: frack113
 date: 2022/01/15
-modified: 2022/08/20
+modified: 2023/02/24
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -21,6 +21,9 @@ detection:
         - CommandLine|contains|all:
             - ' del '
             - /f
+        - CommandLine|contains|all:
+            - ' del '
+            - /s
         - CommandLine|contains|all:
             - rmdir
             - /s