T1070.004: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples of built-in Command and Scripting Interpreter functions include del
on Windows and rm
or unlink
on Linux and macOS.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
— Monitoring of process-start events where command line input contains 'del' (for Windows) or 'rm' and 'unlink' (for Linux). It is also recommended to check legitimacy and results of these commands execution (for example, check for deletion of a critical system file, log file, and so on) — Monitoring of events related to unexpected file deletion.
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0022 | Data source and component | File: File Deletion | Description | Monitor for unexpected deletion of files from the system |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files. |
---|