sigmaDRL-1.1from SigmaHQ/sigma
Directory Removal Via Rmdir
Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Quality
66
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml
title: Directory Removal Via Rmdir
id: 41ca393d-538c-408a-ac27-cf1e038be80c
status: test
description: |
Detects execution of the builtin "rmdir" command in order to delete directories.
Adversaries may delete files left behind by the actions of their intrusion activity.
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113
date: 2022-01-15
modified: 2023-03-07
tags:
- attack.defense-evasion
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_rmdir:
CommandLine|contains: 'rmdir'
selection_flags:
CommandLine|contains:
- '/s'
- '/q'
condition: all of selection_*
falsepositives:
- Unknown
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml