Host Artifact Deletion

Adversaries may delete artifacts on a host system, including logs, browser history, or directories.

id:339d4a19-dfb8-4d86-89c8-6a3ac807a57f
categories:enrich
confidence:low
os:windows
created:7/26/2019
updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Defense Evasion
techniques:T1070 Indicator Removal on Host

Query

process where subtype.create and (
  (process_name == "rundll32.exe" and command_line == "*InetCpl.cpl,Clear*") or
  (process_name == "reg.exe" and command_line == "* delete *") or
  (process_name == "cmd.exe" and command_line == "* *rmdir *")
)

Contributors