Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how it was executed. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools.
APT18: APT18 actors deleted tools and batch files from victim systems.
APT28: APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.
APT3: APT3 has a tool that can delete files.
APT32: APT32‘s macOS backdoor can receive a “delete” command.
APT38: APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system.
APT41: APT41 deleted files from the system.
Tactic: Defense Evasion
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: File monitoring, Process command-line parameters, Binary file metadata
Defense Bypassed: Host forensic analysis
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image IN (“*\\sdelete.exe” , “*\\vssadmin.exe” , “*\\wmic.exe” , “*\\bcdedit.exe” , “*\\wbadmin.exe”)) index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image=”*\\vssadmin.exe” CommandLine=”*Delete Shadows*”)
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image=”*\\wmic.exe” CommandLine=”*shadowcopy delete*”)
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image=”*\\bcdedit.exe” CommandLine IN (“*bootstatuspolicy ignoreallfailures*” , “*recoveryenabled no*”))
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image=”*\\wbadmin.exe” CommandLine=”*Delete*”)