File Deletion via Shred

About

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Defense EvasionData Source: Auditd ManagerData Source: Elastic DefendData Source: Elastic EndgameData Source: CrowdstrikeData Source: SentinelOneLanguage: eql

Severity

low

Risk Score

21

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Indicator Removal (T1070)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

auditbeat-*endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*logs-auditd_manager.auditd-*

Related Integrations

auditd_manager(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

endpoint(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "shred" and (
// Any short-flag cluster containing at least one of u/z, and containing no extra "-" after the first one
process.args regex~ "-[^-]*[uz][^-]*" or
process.args in ("--remove", "--zero")
) and
not process.parent.name == "logrotate"