Detection rules › Splunk
Windows Rdp AutomaticDestinations Deletion
This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1070.004 Indicator Removal: File Deletion |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 23 | FileDelete (File Delete archived) |
| Sysmon | 26 | FileDeleteDetected (File Delete logged) |
Stages and Predicates
Stage 1: search
search EventCode=23 TargetFilename="*\\Recent\\AutomaticDestinations*"
Stage 2: stats
stats BY action, dest, dvc, file_path, file_hash, file_name, file_modify_time, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
TargetFilename | in |
|