File or Directory Deletion Command
This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware.
Rule type: eql
Rule indices:
- logs-endpoint.events.process-*
Rule Severity: low
Risk Score: 21
Runs every: 60m
Searches indices from: now-119m
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Rule Type: BBR
- Data Source: Elastic Defend
Version: 6
Rule authors:
- Elastic
Rule license: Elastic License v2
process where host.os.type == "windows" and event.type == "start" and
(
((process.name : "rundll32.exe" or ?process.pe.original_file_name : "RUNDLL32.EXE") and process.args : "*InetCpl.cpl,Clear*") or
((process.name : "reg.exe" or ?process.pe.original_file_name : "reg.exe") and process.args : "delete") or
(
(process.name : "cmd.exe" or ?process.pe.original_file_name : "Cmd.Exe") and
process.args : ("*rmdir*", "*rm *", "rm", "*del *", "del", "*erase *", "erase") and
not process.args : (
"*\\AppData\\Local\\Microsoft\\OneDrive\\*",
"*\\AppData\\Local\\Temp\\DockerDesktop\\*",
"*\\AppData\\Local\\Temp\\Report.*",
"*\\AppData\\Local\\Temp\\*.PackageExtraction"
)
) or
((process.name : "powershell.exe" or ?process.pe.original_file_name : "PowerShell.EXE") and
process.args : ("*rmdir", "rm", "rd", "*Remove-Item*", "del", "*]::Delete(*"))
) and not user.id : "S-1-5-18"
Framework: MITRE ATT&CK
Tactic:
- Name: Defense Evasion
- Id: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Indicator Removal
- Id: T1070
- Reference URL: https://attack.mitre.org/techniques/T1070/
Sub Technique:
- Name: File Deletion
- Id: T1070.004
- Reference URL: https://attack.mitre.org/techniques/T1070/004/