Suspicious Commands Hunting To Remove Files
Query
let Timeframe = 1d; // Choose the best timeframe for your investigation
DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where ProcessCommandLine contains "&& rmdir" and ProcessCommandLine contains "&& del"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessVersionInfoFileDescription, ProcessCommandLine, AccountName, InitiatingProcessParentFileNameAbout this query
Suspicious commands hunting to remove files
Description
Recent analyses published, uncovered DarkGate operators removing malicious indicators. The followinq query has derived from malware analysis, however it should be considered as low precision hunting method and should be fine tuned based on your environment to achieve high precision.
References
- https://threatfox.abuse.ch/ioc/1152536/
- https://twitter.com/fr0s7_/status/1712218958282063898/photo/1
Microsoft 365 Defender & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: T1070.004
- Technique ID: T1070.004
- Indicator Removal: File Deletion
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 29/10/2023 | Initial publish |
Explanation
The query is designed to hunt for suspicious commands used to remove files. It searches for events where the process command line contains both "&& rmdir" and "&& del". The query retrieves information such as the timestamp, device name, file name, folder path, SHA256 hash, process version info, process command line, account name, and the parent file name of the initiating process. It is recommended to adjust the timeframe and fine-tune the query for better precision in your specific environment. The query is mapped to MITRE ATT&CK technique T1070.004, which is related to indicator removal through file deletion.
Details

Michalis Michalos
Released: October 29, 2023
Tables
Keywords
Operators