← Back to Explore
sigmamediumHunting
Greedy File Deletion Using Del
Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
Detection Query
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
selection_del:
CommandLine|contains:
- "del "
- "erase "
selection_extensions:
CommandLine|contains:
- \\\*.au3
- \\\*.dll
- \\\*.exe
- \\\*.js
condition: all of selection_*
Author
frack113 , X__Junior (Nextron Systems)
Created
2021-12-02
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1070.004
Raw Content
title: Greedy File Deletion Using Del
id: 204b17ae-4007-471b-917b-b917b315c5db
status: test
description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
references:
- https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113 , X__Junior (Nextron Systems)
date: 2021-12-02
modified: 2023-09-11
tags:
- attack.defense-evasion
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Example:
# del C:\ProgramData\*.dll & exit
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_del:
CommandLine|contains:
- 'del '
- 'erase '
selection_extensions:
CommandLine|contains:
- '\\\*.au3'
- '\\\*.dll'
- '\\\*.exe'
- '\\\*.js'
condition: all of selection_*
falsepositives:
- Unknown
level: medium