Create lnx_file_deletion.yml

2020-10-07 22:28:37 +03:00
parent c56cd2dfff
commit f00e79d123
1 changed files with 26 additions and 0 deletions
@@ -0,0 +1,26 @@
+title: File Deletion
+id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
+status: stable
+description: Detects file deletion commands
+author: Ömer Günal, oscd.community
+date: 2020/10/07
+references:
+    - https://attack.mitre.org/techniques/T1070/004/
+logsource:
+    product: linux
+detection:
+    keywords:
+        - Commands|contains:
+          - 'rm '
+          - 'shred -u'
+          - 'rmdir'
+          - 'unlink'
+          - 'busybox rm -f *'
+          - 'find * -delete'
+    condition: keywords
+falsepositives:
+    - Legitimate administration activities
+level: low
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004