T1070.004
Indicator Removal on Host: File Deletion
Description from ATT&CK
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include del on Windows and rm or unlink on Linux and macOS.
Atomic Tests
Atomic Test #1 - Delete a single file - FreeBSD/Linux/macOS
Delete a single file from the temporary directory
Supported Platforms: linux,macos
auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
parent_folder | Path of parent folder | path | /tmp/victim-files/ |
file_to_delete | Path of file to delete | path | /tmp/victim-files/T1070.004-test.txt |
Attack Commands: Run with sh!
1
rm -f #{file_to_delete}
Cleanup Commands:
1
rm -rf #{parent_folder}
Dependencies: Run with sh!
Description: The file must exist in order to be deleted
Check Prereq Commands:
1
test -e #{file_to_delete} && exit 0 || exit 1
Get Prereq Commands:
1
mkdir -p #{parent_folder} && touch #{file_to_delete}
Atomic Test #2 - Delete an entire folder - FreeBSD/Linux/macOS
Recursively delete the temporary directory and all files contained within it
Supported Platforms: linux,macos
auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
folder_to_delete | Path of folder to delete | path | /tmp/victim-folder |
Attack Commands: Run with sh!
1
rm -rf #{folder_to_delete}
Dependencies: Run with sh!
Description: The folder must exist in order to be deleted
Check Prereq Commands:
1
test -e #{folder_to_delete} && exit 0 || exit 1
Get Prereq Commands:
1
mkdir -p #{folder_to_delete}
Atomic Test #3 - Overwrite and delete a file with shred
Use the
command to overwrite the temporary file and then delete it1
shred
Supported Platforms: linux
auto_generated_guid: 039b4b10-2900-404b-b67f-4b6d49aa6499
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
file_to_shred | Path of file to shred | path | /tmp/victim-shred.txt |
Attack Commands: Run with sh!
1
shred -u #{file_to_shred}
Dependencies: Run with sh!
Description: Check if file already exists
Check Prereq Commands:
1
if [ -f "#{file_to_shred}" ]; then echo "File already exists"; else echo "File does NOT exist yet"; exit 1; fi
Get Prereq Commands:
1
touch #{file_to_shred}
Atomic Test #4 - Delete a single file - Windows cmd
Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
Supported Platforms: windows
auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1551.004 |
Attack Commands: Run with command_prompt!
1
del /f #{file_to_delete}
Dependencies: Run with command_prompt!
Description: The file to delete must exist on disk at specified location (#{file_to_delete})
Check Prereq Commands:
1
IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands:
1
echo deleteme_T1551.004 >> #{file_to_delete}
Atomic Test #5 - Delete an entire folder - Windows cmd
Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
Supported Platforms: windows
auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1551.004 |
Attack Commands: Run with command_prompt!
1
rmdir /s /q #{folder_to_delete}
Dependencies: Run with command_prompt!
Description: The file to delete must exist on disk at specified location (#{folder_to_delete})
Check Prereq Commands:
1
IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands:
1
mkdir #{folder_to_delete}
Atomic Test #6 - Delete a single file - Windows PowerShell
Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
Supported Platforms: windows
auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_T1551.004 |
Attack Commands: Run with powershell!
1
Remove-Item -path #{file_to_delete}
Dependencies: Run with powershell!
Description: The file to delete must exist on disk at specified location (#{file_to_delete})
Check Prereq Commands:
1
if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}
Get Prereq Commands:
1
New-Item -Path #{file_to_delete} | Out-Null
Atomic Test #7 - Delete an entire folder - Windows PowerShell
Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
Supported Platforms: windows
auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_folder_T1551.004 |
Attack Commands: Run with powershell!
1
Remove-Item -Path #{folder_to_delete} -Recurse
Dependencies: Run with powershell!
Description: The folder to delete must exist on disk at specified location (#{folder_to_delete})
Check Prereq Commands:
1
if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}
Get Prereq Commands:
1
New-Item -Path #{folder_to_delete} -Type Directory | Out-Null
Atomic Test #8 - Delete Filesystem - Linux
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
Supported Platforms: linux
auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52
Inputs:
None
Attack Commands: Run with sh!
1
[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null
Atomic Test #9 - Delete Prefetch File
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run
before and after the test to verify that the number of prefetch files decreases by 1.1
(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count
Supported Platforms: windows
auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
Atomic Test #10 - Delete TeamViewer Log Files
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
https://twitter.com/SBousseaden/status/1197524463304290305?s=20
Supported Platforms: windows
auto_generated_guid: 69f50a5f-967c-4327-a5bb-e1a9a9983785
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
teamviewer_log_file | Teamviewer log file to create and delete. | string | $env:TEMP\TeamViewer_54.log |
Attack Commands: Run with powershell!
1
2
New-Item -Path #{teamviewer_log_file} -Force | Out-Null
Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore
Atomic Test #11 - Clears Recycle bin via rd
An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files. Reference
Supported Platforms: windows
auto_generated_guid: f723d13d-48dc-4317-9990-cf43a9ac0bf2
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
rd /s /q %systemdrive%\$RECYCLE.BIN