title: Windows Cmd Delete File 
id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
status: experimental
description: |
  Adversaries may delete files left behind by the actions of their intrusion activity.
  Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
  Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. 
author: frack113
date: 2022/01/15
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
            - 'del '
            - /f
        - CommandLine|contains|all:    
            - rmdir
            - /s
            - /q 
    condition: selection
falsepositives:
    - Legitim script
level: low
tags:
    - attack.defense_evasion
    - attack.t1070.004