Suspicious Commands Hunting To Remove Files

# Suspicious commands hunting to remove files ### Description Recent analyses published, uncovered DarkGate operators removing malicious indicators. The followinq query has derived from malware analysis, however it should be considered as low precision hunting method and should be fine tuned based on your environment to achieve high precision. ### References - https://threatfox.abuse.ch/ioc/1152536/ - https://twitter.com/fr0s7_/status/1712218958282063898/photo/1 ### Microsoft 365 Defender & Microsoft Sentinel ``` let Timeframe = 1d; // Choose the best timeframe for your investigation DeviceProcessEvents | where Timestamp > ago(Timeframe) | where ProcessCommandLine contains "&& rmdir" and ProcessCommandLine contains "&& del" | project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessVersionInfoFileDescription, ProcessCommandLine, AccountName, InitiatingProcessParentFileName ``` ### MITRE ATT&CK Mapping - Tactic: T1070.004 - Technique ID: T1070.004 - [Indicator Removal: File Deletion](https://attack.mitre.org/techniques/T1070/004/) ### Source ### Versioning | Version | Date | Comments | | ------------- |---------------| ----------------------------------| | 1.0 | 29/10/2023 | Initial publish |

Explanation

The query is designed to hunt for suspicious commands used to remove files. It searches for events where the process command line contains both "&& rmdir" and "&& del". The query retrieves information such as the timestamp, device name, file name, folder path, SHA256 hash, process version info, process command line, account name, and the parent file name of the initiating process. It is recommended to adjust the timeframe and fine-tune the query for better precision in your specific environment. The query is mapped to MITRE ATT&CK technique T1070.004, which is related to indicator removal through file deletion.

KQL Search

Suspicious Commands Hunting To Remove Files

Query

Explanation

Details

Actions