Adversaries may delete files to remove evidence of their presence or to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence tactics early.
Detection Rule
title: File Deletion
id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
status: stable
description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2022-09-15
tags:
- attack.defense-evasion
- attack.t1070.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/rm' # covers /rmdir as well
- '/shred'
- '/unlink'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
imProcessCreate
| where TargetProcessName endswith "/rm" or TargetProcessName endswith "/shred" or TargetProcessName endswith "/unlink"Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task (e.g., Windows Task Scheduler or schtasks.exe) deletes temporary files or logs as part of routine cleanup.
Filter/Exclusion: Exclude files located in temporary directories such as C:\Windows\Temp, C:\Users\*\AppData\Local\Temp, or files with extensions like .log, .tmp, or .bak.
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools (e.g., Microsoft Defender, CrowdStrike, or Symantec) may temporarily delete files during a scan or quarantine process.
Filter/Exclusion: Exclude files with known quarantine patterns, such as those in quarantine directories, or files with extensions like .quarantine, .tmp, or .dmp.
Scenario: Log Rotation or Archive Job
Description: A log rotation job (e.g., using logrotate on Linux or Event Viewer on Windows) deletes old log files to free up disk space.
Filter/Exclusion: Exclude files in log directories such as /var/log/, C:\ProgramData\Microsoft\Windows\Logs, or files with timestamps indicating they are old or archived.
Scenario: User-Initiated File Cleanup
Description: A user manually deletes files using tools like del, rm, or file managers, especially in shared or public directories.
Filter/Exclusion: Exclude files in user directories such as C:\Users\*\Documents, or files with user-specific names or timestamps.
Scenario: Database or Application Maintenance
Description: A database maintenance job (e.g., using sqlcmd, mysqldump, or application-specific scripts) deletes temporary or obsolete files.
Filter/Exclusion: Exclude files in database