T1070.004: File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples of built-in Command and Scripting Interpreter functions include del on Windows and rm or unlink on Linux and macOS.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

— Monitoring of process-start events where command line input contains 'del' (for Windows) or 'rm' and 'unlink' (for Linux). It is also recommended to check legitimacy and results of these commands execution (for example, check for deletion of a critical system file, log file, and so on) — Monitoring of events related to unexpected file deletion.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0022Data source and componentFile: File DeletionDescription

Monitor for unexpected deletion of files from the system

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files.