Skip to content

Latest commit

 

History

History
376 lines (193 loc) · 9.24 KB

T1070.004.md

File metadata and controls

376 lines (193 loc) · 9.24 KB

T1070.004 - File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)

Atomic Tests


Atomic Test #1 - Delete a single file - Linux/macOS

Delete a single file from the temporary directory

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
file_to_delete Path of file to delete Path /tmp/victim-files/a

Attack Commands: Run with sh!

rm -f #{file_to_delete}


Atomic Test #2 - Delete an entire folder - Linux/macOS

Recursively delete the temporary directory and all files contained within it

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
folder_to_delete Path of folder to delete Path /tmp/victim-files

Attack Commands: Run with sh!

rm -rf #{folder_to_delete}


Atomic Test #3 - Overwrite and delete a file with shred

Use the shred command to overwrite the temporary file and then delete it

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
file_to_shred Path of file to shred Path /tmp/victim-shred.txt

Attack Commands: Run with sh!

shred -u #{file_to_shred}


Atomic Test #4 - Delete a single file - Windows cmd

Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
file_to_delete File to delete. Run the prereq command to create it if it does not exist. string %temp%\deleteme_T1551.004

Attack Commands: Run with command_prompt!

del /f #{file_to_delete}

Dependencies: Run with command_prompt!

Description: The file to delete must exist on disk at specified location (#{file_to_delete})
Check Prereq Commands:
IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) 
Get Prereq Commands:
echo deleteme_T1551.004 >> #{file_to_delete}


Atomic Test #5 - Delete an entire folder - Windows cmd

Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
folder_to_delete Folder to delete. Run the prereq command to create it if it does not exist. string %temp%\deleteme_T1551.004

Attack Commands: Run with command_prompt!

rmdir /s /q #{folder_to_delete}

Dependencies: Run with command_prompt!

Description: The file to delete must exist on disk at specified location (#{folder_to_delete})
Check Prereq Commands:
IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) 
Get Prereq Commands:
mkdir #{folder_to_delete}


Atomic Test #6 - Delete a single file - Windows PowerShell

Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
file_to_delete File to delete. Run the prereq command to create it if it does not exist. string $env:TEMP\deleteme_T1551.004

Attack Commands: Run with powershell!

Remove-Item -path #{file_to_delete}

Dependencies: Run with powershell!

Description: The file to delete must exist on disk at specified location (#{file_to_delete})
Check Prereq Commands:
if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} 
Get Prereq Commands:
New-Item -Path #{file_to_delete} | Out-Null


Atomic Test #7 - Delete an entire folder - Windows PowerShell

Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
folder_to_delete Folder to delete. Run the prereq command to create it if it does not exist. string $env:TEMP\deleteme_folder_T1551.004

Attack Commands: Run with powershell!

Remove-Item -Path #{folder_to_delete} -Recurse

Dependencies: Run with powershell!

Description: The folder to delete must exist on disk at specified location (#{folder_to_delete})
Check Prereq Commands:
if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} 
Get Prereq Commands:
New-Item -Path #{folder_to_delete} -Type Directory | Out-Null


Atomic Test #8 - Delete Filesystem - Linux

This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.

Supported Platforms: Linux

Attack Commands: Run with bash!

rm -rf / --no-preserve-root > /dev/null 2> /dev/null


Atomic Test #9 - Delete-PrefetchFile

Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch*.pf" | Measure-Object).Count" before and after the test to verify that the number of prefetch files decreases by 1.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])


Atomic Test #10 - Delete TeamViewer Log Files

Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.

https://twitter.com/SBousseaden/status/1197524463304290305?s=20

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
teamviewer_log_file Teamviewer log file to delete. Run the prereq command to create it if it does not exist. string $env:TEMP\TeamViewer_54.log

Attack Commands: Run with powershell!

Remove-Item #{teamviewer_log_file}

Dependencies: Run with powershell!

Description: The folder to delete must exist on disk at specified location (#{teamviewer_log_file})
Check Prereq Commands:
if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} 
Get Prereq Commands:
New-Item -Path #{teamviewer_log_file} | Out-Null