T1070.004: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples of built-in Command and Scripting Interpreter functions include del on Windows and rm or unlink on Linux and macOS.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-2924: Self_Delete_Object: A program deleted itself. This may indicate malware activity. microsoft_o365: PT-CR-3121: O365_Mass_Content_Deletion: Within a short period of time, multiple Exchange emails or SharePoint or OneDrive files were deleted in a Microsoft 365 tenant
Detection
| ID | DS0022 | Data source and component | File: File Deletion | Description | Monitor for unexpected deletion of files from the system |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files. |
|---|