heroui logo

Cisco File Deletion

Sigma Rules

View Source
Summary
The Cisco File Deletion rule is designed to detect file deletion activities within Cisco device flash file systems. This detection focuses on commands that imply erasing or formatting files, which may be used in both normal administrative actions and potential malicious activities. The rule identifies specific keywords such as 'erase', 'delete', and 'format', which are typical command-line phrases triggering file deletion processes. Given that admins may execute these commands to manage storage, the rule acknowledges the potential for false positives when legitimate administrative activities occur. The implementation of this rule will provide security teams with insight into file management actions that could indicate defense evasion tactics or impact activities by threat actors.
Categories
  • Network
  • Endpoint
Data Sources
  • Application Log
  • Command
Created: 2019-08-12