Find sigma rule
Attack: Indicator Removal on Host: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include del
on Windows and rm
or unlink
on Linux and macOS.
MITRE
Tactic
- defense-evasion
technique
- T1070.004
Test : Delete TeamViewer Log Files
OS
- windows
Description:
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
https://twitter.com/SBousseaden/status/1197524463304290305?s=20
Executor
powershell
Sigma Rule
- file_delete_win_delete_teamviewer_logs.yml (id: b1decb61-ed83-4339-8e95-53ea51901720)