Ctrl+K

T1070.004 - File Deletion

Contents

T1070.004 - File Deletion#

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include del on Windows and rm or unlink on Linux and macOS.

Atomic Tests#

Atomic Test #1 - Delete a single file - FreeBSD/Linux/macOS#

Delete a single file from the temporary directory

Supported Platforms: linux, macos

Dependencies: Run with sh!#

Description: The file must exist in order to be deleted#
Check Prereq Commands:#
test -e /tmp/victim-files/T1070.004-test.txt && exit 0 || exit 1
Get Prereq Commands:#
mkdir -p /tmp/victim-files/ && touch /tmp/victim-files/T1070.004-test.txt

Invoke-AtomicTest T1070.004 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with sh#

rm -f /tmp/victim-files/T1070.004-test.txt

Invoke-AtomicTest T1070.004 -TestNumbers 1

Cleanup:#

rm -rf /tmp/victim-files/

Invoke-AtomicTest T1070.004 -TestNumbers 1 -Cleanup

Atomic Test #2 - Delete an entire folder - FreeBSD/Linux/macOS#

Recursively delete the temporary directory and all files contained within it

Supported Platforms: linux, macos

Dependencies: Run with sh!#

Description: The folder must exist in order to be deleted#
Check Prereq Commands:#
test -e /tmp/victim-folder && exit 0 || exit 1
Get Prereq Commands:#
mkdir -p /tmp/victim-folder

Invoke-AtomicTest T1070.004 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with sh#

rm -rf /tmp/victim-folder

Invoke-AtomicTest T1070.004 -TestNumbers 2

Atomic Test #3 - Overwrite and delete a file with shredUse the shred command to overwrite the temporary file and then delete it#

Supported Platforms: linux#### Attack Commands: Run with sh

shred -u /tmp/victim-shred.txt

Invoke-AtomicTest T1070.004 -TestNumbers 3

Atomic Test #4 - Delete a single file - Windows cmd#

Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.

Supported Platforms: windows

Dependencies: Run with command_prompt!#

Description: The file to delete must exist on disk at specified location (#{file_to_delete})#
Check Prereq Commands:#
IF EXIST "%temp%\deleteme_T1551.004" ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands:#
echo deleteme_T1551.004 >> %temp%\deleteme_T1551.004


Invoke-AtomicTest T1070.004 -TestNumbers 4 -GetPreReqs

Attack Commands: Run with command_prompt#

del /f %temp%\deleteme_T1551.004

Invoke-AtomicTest T1070.004 -TestNumbers 4

Atomic Test #5 - Delete an entire folder - Windows cmd#

Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.

Supported Platforms: windows

Dependencies: Run with command_prompt!#

Description: The file to delete must exist on disk at specified location (#{folder_to_delete})#
Check Prereq Commands:#
IF EXIST "%temp%\deleteme_T1551.004" ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands:#
mkdir %temp%\deleteme_T1551.004


Invoke-AtomicTest T1070.004 -TestNumbers 5 -GetPreReqs

Attack Commands: Run with command_prompt#

rmdir /s /q %temp%\deleteme_T1551.004

Invoke-AtomicTest T1070.004 -TestNumbers 5

Atomic Test #6 - Delete a single file - Windows PowerShell#

Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The file to delete must exist on disk at specified location (#{file_to_delete})#
Check Prereq Commands:#
if (Test-Path $env:TEMP\deleteme_T1551.004) {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Path $env:TEMP\deleteme_T1551.004 | Out-Null

Invoke-AtomicTest T1070.004 -TestNumbers 6 -GetPreReqs

Attack Commands: Run with powershell#

Remove-Item -path $env:TEMP\deleteme_T1551.004

Invoke-AtomicTest T1070.004 -TestNumbers 6

Atomic Test #7 - Delete an entire folder - Windows PowerShell#

Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The folder to delete must exist on disk at specified location (#{folder_to_delete})#
Check Prereq Commands:#
if (Test-Path $env:TEMP\deleteme_folder_T1551.004) {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Path $env:TEMP\deleteme_folder_T1551.004 -Type Directory | Out-Null

Invoke-AtomicTest T1070.004 -TestNumbers 7 -GetPreReqs

Attack Commands: Run with powershell#

Remove-Item -Path $env:TEMP\deleteme_folder_T1551.004 -Recurse

Invoke-AtomicTest T1070.004 -TestNumbers 7

Atomic Test #8 - Delete Filesystem - LinuxThis test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.#

Supported Platforms: linux#### Attack Commands: Run with sh

[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null

Invoke-AtomicTest T1070.004 -TestNumbers 8

Atomic Test #9 - Delete Prefetch FileDelete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run “(Get-ChildItem -Path “$Env:SystemRoot\prefetch*.pf” | Measure-Object).Count”#

before and after the test to verify that the number of prefetch files decreases by 1. Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell

Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])

Invoke-AtomicTest T1070.004 -TestNumbers 9

Atomic Test #10 - Delete TeamViewer Log FilesAdversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.#

This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.

https://twitter.com/SBousseaden/status/1197524463304290305?s=20 Supported Platforms: windows#### Attack Commands: Run with powershell

New-Item -Path $env:TEMP\TeamViewer_54.log -Force | Out-Null
Remove-Item $env:TEMP\TeamViewer_54.log -Force -ErrorAction Ignore

Invoke-AtomicTest T1070.004 -TestNumbers 10

Detection#

It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.

Contents