File Deletion

Information

• Name: File Deletion

• ID: T1070.004

• Tactics: TA0005

• Technique: T1070

Introduction

File Deletion (T1070.004) is a sub-technique within the MITRE ATT&CK framework under the broader category of Indicator Removal on Host (T1070). Attackers frequently utilize this technique to delete files or logs from compromised systems, aiming to remove evidence of their presence and actions. By eliminating artifacts such as malware binaries, scripts, logs, or configuration files, adversaries seek to evade detection, forensic analysis, and attribution.

Deep Dive Into Technique

File Deletion involves removing files from compromised systems through various methods and mechanisms. Attackers typically employ built-in system utilities, custom scripts, or malware to execute file deletions. Common execution methods and mechanisms include:

• System Commands and Utilities:

  • Windows-based:

    • del or erase commands via Command Prompt (cmd.exe)

    • PowerShell commands such as Remove-Item

    • Windows API calls (DeleteFile, RemoveDirectory)

    • Batch scripts (.bat) or PowerShell scripts (.ps1) designed for automated cleanup

  • Linux/Unix-based:

    • rm, unlink commands via shell scripts or terminal

    • Commands executed through cron jobs or scheduled tasks for automated deletion

• Malware Capabilities:

  • Malware or implants with built-in functionality to delete files after execution or upon receiving external commands from command-and-control (C2) servers

  • Ransomware variants deleting backup files or shadow copies to hinder recovery attempts

• Automated Cleanup Scripts:

  • Custom-made scripts executed post-compromise to systematically remove logs, temporary files, malware binaries, or configuration files created during the attack lifecycle

Adversaries often target specific types of files for deletion, such as:

• Event logs (Windows Event Logs, syslog, application logs)

• Temporary files and scripts used during exploitation

• Malware binaries after successful persistence or lateral movement

• Configuration files revealing attacker infrastructure or commands executed

When this Technique is Usually Used

This sub-technique commonly appears across multiple stages of the cyber kill chain, primarily during the following scenarios and stages:

• Defense Evasion:

  • Attackers delete logs and artifacts to evade detection by security monitoring tools or forensic analysts.

  • Removal of malware binaries after achieving persistence to minimize detection risk.

• Post-Exploitation Cleanup:

  • Adversaries remove temporary files, scripts, or tools used during initial access, privilege escalation, or lateral movement stages.

  • Deletion of command history or shell history files to obscure executed commands.

• Impact Stage (Ransomware):

  • Ransomware operators delete backup files, shadow copies, or snapshots to prevent victims from restoring data without paying ransom.

• Incident Response Interference:

  • During active investigations, attackers may delete forensic artifacts or logs to impede incident response and forensic analysis efforts.

How this Technique is Usually Detected

Detection of File Deletion activity involves monitoring system events, file system changes, and log analysis. Detection methods include:

• File System Monitoring:

  • Implementing file integrity monitoring (FIM) solutions such as OSSEC, Tripwire, or built-in Windows File Integrity Monitoring.

  • Monitoring file deletion events through endpoint detection and response (EDR) tools or host intrusion detection systems (HIDS).

• System and Event Log Monitoring:

  • Windows:

    • Monitoring Windows Security Event Logs for Event IDs related to file deletion (e.g., Event ID 4660 - Object Deleted).

    • Monitoring PowerShell logs (Event IDs 4103, 4104) for suspicious file removal activity.

  • Linux/Unix:

    • Monitoring audit logs (auditd) for deletion events (unlink, rmdir syscalls).

    • Reviewing shell command histories and logs for suspicious use of rm commands.

• Endpoint Detection and Response (EDR) Tools:

  • Leveraging EDR platforms like CrowdStrike Falcon, Carbon Black, Microsoft Defender ATP, or SentinelOne to detect suspicious file deletion activity.

  • Correlation of behavioral indicators and process execution patterns indicative of attacker activity.

• Indicators of Compromise (IoCs):

  • Sudden deletion of critical logs or security-related files.

  • Unusual execution of deletion commands (del, erase, rm) from unexpected processes or users.

  • Detection of automated scripts or scheduled tasks designed explicitly for file deletion.

Why it is Important to Detect This Technique

Early detection of File Deletion is crucial due to its potential impacts on incident response, forensic analysis, and organizational security posture. Importance includes:

• Preservation of Forensic Evidence:

  • Preventing attackers from successfully removing critical forensic artifacts that help reconstruct attack timelines, identify attacker techniques, and facilitate attribution.

• Incident Response Efficiency:

  • Early detection allows incident responders to quickly isolate compromised systems, secure forensic evidence, and minimize damage.

• Reducing Attacker Dwell Time:

  • Identifying file deletion attempts may uncover ongoing attacker activity, enabling defenders to disrupt further attacker objectives and limit lateral movement.

• Minimizing Operational Impact:

  • Preventing deletion of critical system files, logs, or backups reduces operational disruptions, data loss, and recovery costs.

• Compliance and Audit Requirements:

  • Ensuring comprehensive logging and file integrity monitoring aligns with regulatory compliance standards and audit requirements.

Examples

Real-world examples involving File Deletion include:

• NotPetya Ransomware (2017):

  • Attack Scenario:

    • Malware executed commands to delete Windows Shadow Copies using vssadmin delete shadows /all /quiet.

  • Tools used:

    • Built-in Windows utilities (vssadmin.exe)

  • Impact:

    • Victims were unable to recover encrypted data from local backups, leading to extensive data loss and operational disruption.

• APT29 (Cozy Bear) Operations:

  • Attack Scenario:

    • After successful intrusion, APT29 operators routinely deleted malware binaries and scripts used during initial compromise and lateral movement phases.

  • Tools used:

    • Custom scripts, PowerShell commands (Remove-Item), and native Windows commands (del).

  • Impact:

    • Difficulty in forensic analysis and attribution due to limited remaining artifacts.

• FIN7 Cybercrime Group:

  • Attack Scenario:

    • FIN7 attackers used scripts to delete logs, temporary files, and malware payloads after successful financial data exfiltration.

  • Tools used:

    • Batch scripts, PowerShell scripts, built-in Windows utilities.

  • Impact:

    • Reduced forensic visibility, complicating incident response and delaying detection.

• Shamoon Malware (2012, 2016, 2018):

  • Attack Scenario:

    • Shamoon malware deleted files and overwrote systems to disrupt operations and render systems unusable.

  • Tools used:

    • Malware with embedded deletion and wiping capabilities.

  • Impact:

    • Extensive operational disruption, data loss, and significant recovery efforts required.

These examples highlight the prevalence and critical importance of detecting File Deletion activity in cyber incidents.