Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.
| Name | Channel |
|---|---|
| auditd:CONFIG_CHANGE | /etc/fstab, /etc/systemd/* |
| auditd:SYSCALL | unlink/unlinkat on service binaries or data targets |
| auditd:SYSCALL | file deletion |
| auditd:SYSCALL | PATH |
| auditd:SYSCALL | unlink, unlinkat, openat, write |
| auditd:SYSCALL | unlink, unlinkat, rmdir |
| auditd:SYSCALL | unlink, rename, open |
| auditd:SYSCALL | unlink/unlinkat |
| docker:daemon | container file operations |
| esxi:hostd | delete action |
| esxi:hostd | rm, clearlogs, logrotate |
| esxi:hostd | Datastore file operations |
| esxi:shell | shell history |
| esxi:shell | /var/log/shell.log |
| File | None |
| fs:fsusage | unlink, fs_delete |
| linux:Sysmon | EventCode=23 |
| macos:osquery | file_events |
| macos:osquery | CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes |
| macos:unifiedlog | exec rm -rf|dd if=/dev|srm|file unlink |
| MobileEDR:telemetry | application deletes, alters, renames, relocates, or suppresses local artifacts relevant to detection, including files, hidden media, compromise markers, or app-local evidence, before later continued execution or transfer |
| MobileEDR:telemetry | application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime |
| MobileEDR:telemetry | application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication |
| WinEventLog:Microsoft-Windows-Backup | Windows Backup Catalog deletion or catalog corruption |
| WinEventLog:Sysmon | EventCode=23 |