Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.
| Name | Channel |
|---|---|
| auditd:CONFIG_CHANGE | /etc/fstab, /etc/systemd/* |
| auditd:SYSCALL | unlink/unlinkat on service binaries or data targets |
| auditd:SYSCALL | file deletion |
| auditd:SYSCALL | PATH |
| auditd:SYSCALL | unlink, unlinkat, openat, write |
| auditd:SYSCALL | unlink, unlinkat, rmdir |
| auditd:SYSCALL | unlink, rename, open |
| auditd:SYSCALL | unlink/unlinkat |
| docker:daemon | container file operations |
| esxi:hostd | delete action |
| esxi:hostd | rm, clearlogs, logrotate |
| esxi:hostd | Datastore file operations |
| esxi:shell | shell history |
| esxi:shell | /var/log/shell.log |
| File | None |
| fs:fsusage | unlink, fs_delete |
| linux:Sysmon | EventCode=23 |
| macos:osquery | file_events |
| macos:osquery | CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes |
| macos:unifiedlog | exec rm -rf|dd if=/dev|srm|file unlink |
| WinEventLog:Microsoft-Windows-Backup | Windows Backup Catalog deletion or catalog corruption |
| WinEventLog:Sysmon | EventCode=23 |