DC0040 File Deletion

Log Sources

Name	Channel
auditd:CONFIG_CHANGE	/etc/fstab, /etc/systemd/*
auditd:SYSCALL	unlink/unlinkat on service binaries or data targets
auditd:SYSCALL	file deletion
auditd:SYSCALL	PATH
auditd:SYSCALL	unlink, unlinkat, openat, write
auditd:SYSCALL	unlink, unlinkat, rmdir
auditd:SYSCALL	unlink, rename, open
auditd:SYSCALL	unlink/unlinkat
docker:daemon	container file operations
esxi:hostd	delete action
esxi:hostd	rm, clearlogs, logrotate
esxi:hostd	Datastore file operations
esxi:shell	shell history
esxi:shell	/var/log/shell.log
File	None
fs:fsusage	unlink, fs_delete
linux:Sysmon	EventCode=23
macos:osquery	file_events
macos:osquery	CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes
macos:unifiedlog	exec rm -rf
WinEventLog:Microsoft-Windows-Backup	Windows Backup Catalog deletion or catalog corruption
WinEventLog:Sysmon	EventCode=23

ID	Name	Technique Detected
DET0021	Behavioral Detection for Service Stop across Platforms	T1489
DET0329	Behavioral Detection for T1490 - Inhibit System Recovery	T1490
DET0165	Behavioral Detection of Command History Clearing	T1070.003
DET0184	Behavioral Detection of Indicator Removal Across Platforms	T1070
DET0520	Behavioral Detection of Log File Clearing on Linux and macOS	T1070.002
DET0266	Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics	T1070.008
DET0140	Behavioral Detection of Malicious File Deletion	T1070.004
DET0758	Detection of Data Destruction	T0809
DET0146	Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns	T1485
DET0532	Detection of Event Log Clearing on Windows via Behavioral Chain	T1070.001
DET0750	Detection of Indicator Removal on Host	T0872
DET0439	Detection of Malware Relocation via Suspicious File Movement	T1070.010
DET0040	Detection of Persistence Artifact Removal Across Host Platforms	T1070.009
DET0193	Detection Strategy for Stored Data Manipulation across OS Platforms.	T1565.001