title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: test
description: Clear command history in network OS which is used for defense evasion
references:
    - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html
    - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
author: Austin Clark
date: 2019-08-12
modified: 2023-05-26
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'clear logging'
        - 'clear archive'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands
level: high

title: Clearing Windows Console History
id: bde47d4b-9987-405c-94c7-b080410e8ea7
status: test
description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
references:
    - https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
    - https://www.shellhacks.com/clear-history-powershell/
    - https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1070
    - attack.t1070.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection1:
        ScriptBlockText|contains: Clear-History
    selection2a:
        ScriptBlockText|contains:
            - Remove-Item
            - rm
    selection2b:
        ScriptBlockText|contains:
            - ConsoleHost_history.txt
            - (Get-PSReadlineOption).HistorySavePath
    condition: selection1 or selection2a and selection2b
falsepositives:
    - Unknown
level: high

title: Disable Powershell Command History
id: 602f5669-6927-4688-84db-0d4b7afb2150
status: test
description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module
references:
    - https://twitter.com/DissectMalware/status/1062879286749773824
author: Ali Alwashali
date: 2022-08-21
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Remove-Module
            - psreadline
    condition: selection
falsepositives:
    - Legitimate script that disables the command history
level: high

title: Disable of ETW Trace - Powershell
id: 115fdba9-f017-42e6-84cf-d5573bf2ddf8
related:
    - id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
      type: derived
status: test
description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
references:
    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2022-11-25
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - car.2016-04-002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_pwsh_remove:   # Autologger provider removal
        ScriptBlockText|contains: 'Remove-EtwTraceProvider '
    selection_pwsh_set:   # Provider “Enable” property modification
        ScriptBlockText|contains|all:
            - 'Set-EtwTraceProvider '
            - '0x11'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
    Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
    - https://abuse.io/lockergoga.txt
    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - car.2016-04-002
logsource:
    category: process_creation
    product: windows
detection:
    selection_clear_1:
        CommandLine|contains|all:
            - 'cl'
            - '/Trace'
    selection_clear_2:
        CommandLine|contains|all:
            - 'clear-log'
            - '/Trace'
    selection_disable_1:
        CommandLine|contains|all:
            - 'sl'
            - '/e:false'
    selection_disable_2:
        CommandLine|contains|all:
            - 'set-log'
            - '/e:false'
    selection_disable_3:   # ETW provider removal from a trace session
        CommandLine|contains|all:
            - 'logman'
            - 'update'
            - 'trace'
            - '--p'
            - '-ets'
    selection_pwsh_remove:   # Autologger provider removal
        CommandLine|contains: 'Remove-EtwTraceProvider'
    selection_pwsh_set:   # Provider “Enable” property modification
        CommandLine|contains|all:
            - 'Set-EtwTraceProvider'
            - '0x11'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Exchange PowerShell Cmdlet History Deleted
id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
status: test
description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
references:
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2022-12-30
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
        TargetFilename|contains: '_Cmdlet_'
    condition: selection
falsepositives:
    - Possible FP during log rotation
level: high

title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
  Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
  Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
    - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
author: Ecco, E.M. Anhaus, oscd.community
date: 2019-09-26
modified: 2023-09-09
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070
    - attack.t1485
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\fsutil.exe'
        - OriginalFileName: 'fsutil.exe'
    selection_cli:
        CommandLine|contains:
            - 'deletejournal'        # usn deletejournal ==> generally ransomware or attacker
            - 'createjournal'        # usn createjournal ==> can modify config to set it to a tiny size
            - 'setZeroData'          # file setZeroData  ==> empties a file with zeroes
    condition: all of selection_*
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
level: high

title: Linux Command History Tampering
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: test
description: |
    Detects commands that try to clear or tamper with the Linux command history.
    This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
    - https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics
    - https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
author: Patrick Bareiss
date: 2019-03-24
modified: 2024-04-17
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: linux
detection:
    keywords:
        - 'cat /dev/null >*sh_history'
        - 'cat /dev/zero >*sh_history'
        - 'chattr +i*sh_history'
        - 'echo "" >*sh_history'
        - 'empty_bash_history'
        - 'export HISTFILESIZE=0'
        - 'history -c'
        - 'history -w'
        - 'ln -sf /dev/null *sh_history'
        - 'ln -sf /dev/zero *sh_history'
        - 'rm *sh_history'
        - 'shopt -ou history'
        - 'shopt -uo history'
        - 'shred *sh_history'
        - 'truncate -s0 *sh_history'
        # - 'unset HISTFILE'  # prone to false positives
    condition: keywords
falsepositives:
    - Unknown
level: high

title: Prefetch File Deleted
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: test
description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
    - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
author: Cedric MAURUGEON
date: 2021-09-29
modified: 2024-01-25
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|contains: ':\Windows\Prefetch\'
        TargetFilename|endswith: '.pf'
    filter_main_svchost:
        Image|endswith: ':\windows\system32\svchost.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Remove Exported Mailbox from Exchange Webserver
id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
status: test
description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
references:
    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
author: Christian Burkard (Nextron Systems)
date: 2021-08-27
modified: 2023-01-23
tags:
    - attack.stealth
    - attack.t1070
logsource:
    service: msexchange-management
    product: windows
detection:
    keywords:
        '|all':
            - 'Remove-MailboxExportRequest'
            - ' -Identity '
            - ' -Confirm "False"'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: RunMRU Registry Key Deletion
id: c11aecef-9c37-45a6-9c07-bc0782f963fd
related:
    - id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
      type: similar
status: experimental
description: |
    Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
    In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
    Adversaries may delete this key to cover their tracks after executing commands.
references:
    - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-25
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' del'
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: RunMRU Registry Key Deletion - Registry
id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
related:
    - id: c11aecef-9c37-45a6-9c07-bc0782f963fd
      type: similar
status: experimental
description: |
    Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
    In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
    Adversaries may delete this key to cover their tracks after executing commands.
references:
    - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-25
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/info.yml

title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://blog.talosintelligence.com/2017/05/wannacry.html
    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
    - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
    - https://github.com/Neo23x0/Raccine#the-process
    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar
    - https://redcanary.com/blog/intelligence-insights-october-2021/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-10-22
modified: 2022-11-03
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection1_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wmic.exe'
              - '\vssadmin.exe'
              - '\diskshadow.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'wmic.exe'
              - 'VSSADMIN.EXE'
              - 'diskshadow.exe'
    selection1_cli:
        CommandLine|contains|all:
            - 'shadow'  # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
            - 'delete'
    selection2_img:
        - Image|endswith: '\wbadmin.exe'
        - OriginalFileName: 'WBADMIN.EXE'
    selection2_cli:
        CommandLine|contains|all:
            - 'delete'
            - 'catalog'
            - 'quiet' # will match -quiet or /quiet
    selection3_img:
        - Image|endswith: '\vssadmin.exe'
        - OriginalFileName: 'VSSADMIN.EXE'
    selection3_cli:
        CommandLine|contains|all:
            - 'resize'
            - 'shadowstorage'
        CommandLine|contains:
            - 'unbounded'
            - '/MaxSize='
    condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
    - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high

title: Suspicious Ping/Del Command Combination
id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
status: test
description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
references:
    - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
    - https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Ilya Krestinichev
date: 2022-11-03
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
    # Example: "C:\Windows\System32\cmd.exe"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
    selection_count:
        CommandLine|contains|windash: ' -n '
    selection_nul:
        CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
    selection_del_param:
        CommandLine|contains|windash:
            - ' -f '
            - ' -q '
    selection_all:
        CommandLine|contains|all:
            - 'ping' # Covers "ping" and "ping.exe"
            - 'del '
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Sysmon Driver Unloaded Via Fltmc.EXE
id: 4d7cda18-1b12-4e52-b45c-d28653210df8
related:
    - id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic
      type: similar
status: test
description: Detects possible Sysmon filter driver unloaded via fltmc.exe
references:
    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
author: Kirill Kiryanov, oscd.community
date: 2019-10-23
modified: 2023-02-13
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - attack.t1685.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\fltMC.exe'
        - OriginalFileName: 'fltMC.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'unload'
            - 'sysmon'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Terminal Server Client Connection History Cleared - Registry
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
status: test
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
    - http://woshub.com/how-to-clear-rdp-connections-history/
    - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Christian Burkard (Nextron Systems)
date: 2021-10-19
modified: 2023-02-08
tags:
    - attack.persistence
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1112
logsource:
    category: registry_delete
    product: windows
detection:
    selection1:
        EventType: DeleteValue
        TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
    selection2:
        EventType: DeleteKey
        TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: ADS Zone.Identifier Deleted By Uncommon Application
id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
related:
    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
      type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
modified: 2025-07-04
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith: ':Zone.Identifier'
    filter_main_generic:
        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\explorer.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_optional_browsers_chrome:
        Image:
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_browsers_firefox:
        Image:
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_browsers_msedge:
        Image:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other third party applications not listed.
level: medium

title: Backup Catalog Deleted
id: 9703792d-fd9a-456d-a672-ff92efe4806a
status: test
description: Detects backup catalog deletions
references:
    - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)
date: 2017-05-12
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    service: application
detection:
    selection:
        EventID: 524
        Provider_Name: Microsoft-Windows-Backup
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Cisco File Deletion
id: 71d65515-c436-43c0-841b-236b1f32c21e
status: test
description: See what files are being deleted from flash file systems
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070.004
    - attack.t1561.001
    - attack.t1561.002
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'erase'
        - 'delete'
        - 'format'
    condition: keywords
falsepositives:
    - Will be used sometimes by admins to clean up local flash space
level: medium

title: Clear PowerShell History - PowerShell
id: 26b692dc-1722-49b2-b496-a8258aa6371d
related:
    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d
      type: derived
status: test
description: Detects keywords that could indicate clearing PowerShell history
references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2022-01-25
modified: 2022-12-02
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection1a:
        ScriptBlockText|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
    selection1b:
        ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath'
    selection_2:
        ScriptBlockText|contains|all:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both
            - 'SaveNothing'
    selection_3:
        ScriptBlockText|contains|all:
            - 'Set-PSReadlineOption'
            - '-HistorySaveStyle'
            - 'SaveNothing'
    condition: 1 of selection_* or all of selection1*
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: Clear PowerShell History - PowerShell Module
id: f99276ad-d122-4989-a09a-d00904a5f9d2
related:
    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d
      type: derived
status: test
description: Detects keywords that could indicate clearing PowerShell history
references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2019-10-25
modified: 2022-12-02
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_1a_payload:
        Payload|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
    selection_1b_payload:
        Payload|contains: '(Get-PSReadlineOption).HistorySavePath'
    selection_payload_2:
        Payload|contains|all:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both
            - 'SaveNothing'
    selection_payload_3:
        Payload|contains|all:
            - 'Set-PSReadlineOption'
            - '-HistorySaveStyle'
            - 'SaveNothing'
    condition: 1 of selection_payload_* or all of selection_1*
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: DLL Load By System Process From Suspicious Locations
id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
status: test
description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
references:
    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2023-09-18
tags:
    - attack.stealth
    - attack.t1070
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|startswith: 'C:\Windows\'
        ImageLoaded|startswith:
            # TODO: Add more suspicious paths as you see fit in your env
            - 'C:\Users\Public\'
            - 'C:\PerfLogs\'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Disable Administrative Share Creation at Startup
id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
status: test
description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
author: frack113
date: 2022-01-16
modified: 2024-03-25
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\LanmanServer\Parameters\'
        TargetObject|endswith:
            - '\AutoShareWks'
            - '\AutoShareServer'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Administrative Share Creation at Startup
      technique: T1070.005
      atomic_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8

title: EventLog EVTX File Deleted
id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
status: test
description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
        TargetFilename|endswith: '.evtx'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: File Deleted Via Sysinternals SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
status: test
description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/9
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith:
            - '.AAA'
            - '.ZZZ'
    filter_wireshark:
        TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate usage
level: medium

title: File Time Attribute Change
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: test
description: Detect file time attribute change to hide new or changes to existing files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: Igor Fits, Mikhail Larin, oscd.community
date: 2020-10-19
modified: 2022-01-12
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/touch'
        CommandLine|contains:
            - '-t'
            - '-acmr'
            - '-d'
            - '-r'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: linux
    service: auditd
detection:
    execve:
        type: 'EXECVE'
    touch:
        - 'touch'
    selection2:
        - '-t'
        - '-acmr'
        - '-d'
        - '-r'
    condition: execve and touch and selection2
falsepositives:
    - Unknown
level: medium
simulation:
    - type: atomic-red-team
      name: Set a file's access timestamp
      technique: T1070.006
      atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
    - type: atomic-red-team
      name: Set a file's modification timestamp
      technique: T1070.006
      atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
    - type: atomic-red-team
      name: Modify file timestamps using reference file
      technique: T1070.006
      atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50

title: Filter Driver Unloaded Via Fltmc.EXE
id: 4931188c-178e-4ee7-a348-39e8a7a56821
related:
    - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
      type: derived
status: test
description: Detect filter driver unloading activity via fltmc.exe
references:
    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
    - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - attack.t1685.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\fltMC.exe'
        - OriginalFileName: 'fltMC.exe'
    selection_cli:
        CommandLine|contains: 'unload'
    filter_optional_avira:
        ParentImage|contains:
            - '\AppData\Local\Temp\'
            - ':\Windows\Temp\'
        ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
        CommandLine|endswith:
            - 'unload rtp_filesystem_filter'
            - 'unload rtp_filter'
    filter_optional_manageengine:
        ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
        CommandLine|endswith: 'unload DFMFilter'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Greedy File Deletion Using Del
id: 204b17ae-4007-471b-917b-b917b315c5db
status: test
description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
references:
    - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113 , X__Junior (Nextron Systems)
date: 2021-12-02
modified: 2023-09-11
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    # Example:
    #   del C:\ProgramData\*.dll & exit
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_del:
        CommandLine|contains:
            - 'del '
            - 'erase '
    selection_extensions:
        CommandLine|contains:
            - '\\\*.au3'
            - '\\\*.dll'
            - '\\\*.exe'
            - '\\\*.js'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: IIS WebServer Access Logs Deleted
id: 3eb8c339-a765-48cc-a150-4364c04652bf
related:
    - id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
      type: similar
status: test
description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
references:
    - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-16
modified: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|contains: '\inetpub\logs\LogFiles\'
        TargetFilename|endswith: '.log'
    condition: selection
falsepositives:
    - During uninstallation of the IIS service
    - During log rotation
level: medium

title: IIS WebServer Log Deletion via CommandLine Utilities
id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
related:
    - id: 3eb8c339-a765-48cc-a150-4364c04652bf
      type: similar
status: experimental
description: |
    Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
    Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-02
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'cmd.exe'
              - 'powershell.exe'
              - 'powershell_ise.exe'
              - 'pwsh.dll'
    selection_cli_del:
        CommandLine|contains:
            - 'del '
            - 'erase '
            - 'rm '
            - 'remove-item '
            - 'rmdir '
    selection_cli_iis_dir:
        CommandLine|contains: '\inetpub\logs\'
    condition: all of selection_*
falsepositives:
    - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
    - Legitimate schedule tasks or scripts that clean up log files regularly.
    # More Fp cases
    # https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage#02
level: medium

title: Kubernetes Events Deleted
id: 3132570d-cab2-4561-9ea6-1743644b2290
related:
    - id: 225d8b09-e714-479c-a0e4-55e6f29adf35
      type: derived
status: test
description: |
    Detects when events are deleted in Kubernetes.
    An adversary may delete Kubernetes events in an attempt to evade detection.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'delete'
        objectRef.resource: 'events'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
status: test
description: Detects potential malicious and unauthorized usage of bcdedit.exe
references:
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
    - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
author: '@neu5ron'
date: 2019-02-07
modified: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070
    - attack.persistence
    - attack.t1542.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bcdedit.exe'
        - OriginalFileName: 'bcdedit.exe'
    selection_cli:
        CommandLine|contains:
            - 'delete'
            - 'deletevalue'
            - 'import'
            - 'safeboot'
            - 'network'
    condition: all of selection_*
level: medium

title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
    - attack.impact
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070.004
    - attack.t1027.005
    - attack.t1485
    - attack.t1553.002
    - attack.s0195
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
            - 4658
        ObjectName|endswith:
            - '.AAA'
            - '.ZZZ'
    condition: selection
falsepositives:
    - Legitimate usage of SDelete
    - Files that are interacted with that have these extensions legitimately
level: medium

title: Potentially Suspicious Ping/Copy Command Combination
id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
status: test
description: |
    Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
references:
    - Internal Research
author: X__Junior (Nextron Systems)
date: 2023-07-18
modified: 2024-03-06
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
    selection_cmd:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_action:
        CommandLine|contains|all:
            - 'ping' # Covers "ping" and "ping.exe"
            - 'copy '
    selection_cli_1:
        CommandLine|contains|windash: ' -n ' # Count
    selection_cli_2:
        CommandLine|contains|windash: ' -y '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: PowerShell Console History Logs Deleted
id: ff301988-c231-4bd0-834c-ac9d73b86586
status: test
description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\PSReadLine\ConsoleHost_history.txt'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: PowerShell Deleted Mounted Share
id: 66a4d409-451b-4151-94f4-a55d559c49b0
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-08
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Remove-SmbShare'
            - 'Remove-FileShare'
    filter_main_module_load:
        ScriptBlockText|contains|all:
            - 'FileShare.cdxml'
            - 'Microsoft.PowerShell.Core\Export-ModuleMember'
            - 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'
            - 'ObjectModelWrapper'
            - 'Cmdletization.MethodParameter'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrators or Power users may remove their shares via cmd line
level: medium

title: Powershell Timestomp
id: c6438007-e081-42ce-9483-b067fbef33c3
status: test
description: |
    Adversaries may modify file time attributes to hide new or changes to existing files.
    Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
    - https://www.offensive-security.com/metasploit-unleashed/timestomp/
author: frack113
date: 2021-08-03
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_ioc:
        ScriptBlockText|contains:
            - '.CreationTime ='
            - '.LastWriteTime ='
            - '.LastAccessTime ='
            - '[IO.File]::SetCreationTime'
            - '[IO.File]::SetLastAccessTime'
            - '[IO.File]::SetLastWriteTime'
    condition: selection_ioc
falsepositives:
    - Legitimate admin script
level: medium

title: SES Identity Has Been Deleted
id: 20f754db-d025-4a8f-9d74-e0037e999a9a
status: test
description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
references:
    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022-12-13
modified: 2022-12-28
tags:
    - attack.stealth
    - attack.t1070
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ses.amazonaws.com'
        eventName: 'DeleteIdentity'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious IO.FileStream
id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
status: test
description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
author: frack113
date: 2022-01-09
modified: 2022-03-05
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - New-Object
            - IO.FileStream
            - '\\\\.\\'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: Tomcat WebServer Logs Deleted
id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
status: test
description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
    - https://linuxhint.com/view-tomcat-logs-windows/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-16
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - '\Tomcat'
            - '\logs\'
        TargetFilename|contains:
            - 'catalina.'
            - '_access_log.'
            - 'localhost.'
    condition: selection
falsepositives:
    - During uninstallation of the tomcat server
    - During log rotation
level: medium

title: Touch Suspicious Service File
id: 31545105-3444-4584-bebf-c466353230d2
status: test
description: Detects usage of the "touch" process in service file.
references:
    - https://blogs.blackberry.com/
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-11
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/touch'
        CommandLine|contains: ' -t '
        CommandLine|endswith: '.service'
    condition: selection
falsepositives:
    - Admin changing date of files.
level: medium

title: Directory Removal Via Rmdir
id: 41ca393d-538c-408a-ac27-cf1e038be80c
status: test
description: |
    Detects execution of the builtin "rmdir" command in order to delete directories.
    Adversaries may delete files left behind by the actions of their intrusion activity.
    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113
date: 2022-01-15
modified: 2023-03-07
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_rmdir:
        CommandLine|contains: 'rmdir'
    selection_flags:
        CommandLine|contains:
            - '/s'
            - '/q'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml

title: File Deletion Via Del
id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
status: test
description: |
    Detects execution of the builtin "del"/"erase" commands in order to delete files.
    Adversaries may delete files left behind by the actions of their intrusion activity.
    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113
date: 2022-01-15
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_del:
        CommandLine|contains:
            - 'del '
            - 'erase '
    selection_flags:
        CommandLine|contains|windash:
            - ' -f' # Force deleting of read-only files.
            - ' -s' # Delete specified files from all subdirectories.
            - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard
    condition: all of selection_*
falsepositives:
    - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity
level: low

title: Linux Package Uninstall
id: 95d61234-7f56-465c-6f2d-b562c6fedbc4
status: test
description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
references:
    - https://sysdig.com/blog/mitre-defense-evasion-falco
    - https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command
    - https://linuxhint.com/uninstall_yum_package/
    - https://linuxhint.com/uninstall-debian-packages/
author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
tags:
    - attack.stealth
    - attack.t1070
logsource:
    product: linux
    category: process_creation
detection:
    selection_yum:
        Image|endswith: '/yum'
        CommandLine|contains:
            - 'erase'
            - 'remove'
    selection_apt:
        Image|endswith:
            - '/apt'
            - '/apt-get'
        CommandLine|contains:
            - 'remove'
            - 'purge'
    selection_dpkg:
        Image|endswith: '/dpkg'
        CommandLine|contains:
            - '--remove '
            - ' -r '
    selection_rpm:
        Image|endswith: '/rpm'
        CommandLine|contains: ' -e '
    condition: 1 of selection_*
falsepositives:
    - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
level: low

title: MaxMpxCt Registry Value Changed
id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
status: test
description: |
    Detects changes to the "MaxMpxCt" registry value.
    MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
    Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
references:
    - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
    - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
    - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
    - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-19
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
    condition: selection
falsepositives:
    - Unknown
level: low

title: TeamViewer Log File Deleted
id: b1decb61-ed83-4339-8e95-53ea51901720
status: test
description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: frack113
date: 2022-01-16
modified: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|contains: '\TeamViewer_'
        TargetFilename|endswith: '.log'
    filter:
        Image: C:\Windows\system32\svchost.exe
    condition: selection and not filter
falsepositives:
    - Unknown
level: low

title: Unauthorized System Time Modification
id: faa031b5-21ed-4e02-8881-2591f98d82ed
status: test
description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
references:
    - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
    - Live environment caused by malware
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
author: '@neu5ron'
date: 2019-02-05
modified: 2025-12-03
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
detection:
    selection:
        EventID: 4616
    filter_main_svchost:
        ProcessName: 'C:\Windows\System32\svchost.exe'
        SubjectUserSid: 'S-1-5-19'
    filter_optional_vmtools:
        ProcessName:
            - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Windows\System32\VBoxService.exe'
            - 'C:\Windows\System32\oobe\msoobe.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - HyperV or other virtualization technologies with binary not listed in filter portion of detection
level: low

title: Unmount Share Via Net.EXE
id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020-10-08
modified: 2023-02-21
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'share'
            - '/delete'
    condition: all of selection*
falsepositives:
    - Administrators or Power users may remove their shares via cmd line
level: low

title: File Deletion
id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
status: stable
description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2022-09-15
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/rm'     # covers /rmdir as well
            - '/shred'
            - '/unlink'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: informational