Lifecycle-Triggered Deletion (T1485.001)

Information

• Name: Lifecycle-Triggered Deletion

• ID: T1485.001

• Tactics:

• Technique:

Introduction

Lifecycle/Trigger Deletion (T1485.001) is a sub-technique under the MITRE ATT&CK framework categorized within Impact techniques. This sub-technique specifically involves adversaries deleting or manipulating critical system artifacts such as startup scripts, scheduled tasks, or other triggers essential for system operation. By removing these critical lifecycle triggers, attackers aim to disrupt normal system processes, impede recovery, and potentially cause prolonged downtime or permanent damage to the targeted infrastructure.

Deep Dive Into Technique

Lifecycle/Trigger Deletion involves the deliberate removal or alteration of system components that control automated processes, scheduled tasks, or startup routines. Attackers typically leverage this sub-technique to maximize disruption, hinder recovery efforts, and extend the impact of their intrusion. Common execution methods include:

• Deletion of Scheduled Tasks: Attackers may utilize system commands such as schtasks /delete or PowerShell cmdlets (Unregister-ScheduledTask) to remove scheduled tasks responsible for backups, system updates, or security monitoring.

• Modification or Removal of Startup Scripts: Malicious actors can delete or alter scripts located in startup directories or system initialization points (e.g., Windows registry keys, Linux systemd service files, cron jobs), preventing critical services or security tools from initializing upon reboot.

• Removal of Automation Triggers in Cloud Environments: Attackers targeting cloud infrastructure may delete or disable cloud-based automation triggers (e.g., AWS Lambda functions, Azure Automation Runbooks, Google Cloud Scheduler jobs), severely impacting automated system management and remediation processes.

• Manipulation of Configuration Files: Adversaries may remove or corrupt critical configuration files such as system service definitions, boot configurations, or application lifecycle scripts, causing system instability or preventing recovery.

Real-world procedures often involve scripting languages (PowerShell, Bash), native OS commands (Windows command prompt, Linux terminal commands), or cloud provider APIs to systematically remove or alter lifecycle triggers.

When this Technique is Usually Used

Lifecycle/Trigger Deletion typically occurs during the later stages of an intrusion, particularly during destructive or disruptive attacks. Common scenarios include:

• Ransomware Attacks: Attackers delete backup scripts, scheduled backup jobs, or volume shadow copies to prevent data recovery and increase ransom payment likelihood.

• Sabotage and Destructive Attacks: Nation-state or activist threat actors may use this technique to cause prolonged downtime, disrupt critical infrastructure, or impede recovery efforts.

• Covering Tracks and Hindering Incident Response: Attackers delete scheduled security scans, logging mechanisms, or system monitoring tasks to evade detection or delay incident response efforts.

• Cloud Infrastructure Compromise: Adversaries remove automated remediation or scaling triggers to disrupt cloud-based operations, causing availability issues and operational disruptions.

How this Technique is Usually Detected

Detection of Lifecycle/Trigger Deletion involves monitoring system artifacts, configuration files, and scheduled tasks for unauthorized modifications or deletions. Common detection methods include:

• Monitoring Task Scheduler Logs: Regularly auditing Windows Task Scheduler event logs (Event IDs 4698, 4699, 4700, and 4702) can detect unauthorized task deletions or modifications.

• File Integrity Monitoring (FIM): Implementing FIM solutions to detect unauthorized changes or deletions of critical startup scripts, configuration files, or automation scripts.

• System Event Logs and Audit Trails: Monitoring system logs (e.g., Windows Security logs, Linux auditd logs) for suspicious commands or actions related to deletion or modification of lifecycle triggers.

• Endpoint Detection and Response (EDR) Tools: Leveraging EDR solutions to detect suspicious processes or commands associated with deletion or alteration of scheduled tasks, startup entries, or system configurations.

• Cloud Security Monitoring Tools: Utilizing cloud-native monitoring services (AWS CloudTrail, Azure Monitor, Google Cloud Operations Suite) to detect unauthorized API calls or actions involving deletion of automation triggers or lifecycle scripts.

Indicators of Compromise (IoCs) include:

• Unusual deletion commands executed by unexpected users or at unusual times.

• Missing or altered scheduled tasks and startup scripts.

• Disabled or deleted cloud automation triggers without authorized change records.

• Sudden disappearance of critical system configuration files or scripts.

Why it is Important to Detect This Technique

Detecting Lifecycle/Trigger Deletion is crucial due to its significant impact on system availability, integrity, and resilience. Early detection can mitigate severe consequences such as:

• Data Loss and Unrecoverable Damage: Prevents attackers from permanently removing backup and recovery mechanisms, thereby preserving data integrity and enabling restoration efforts.

• Minimizing Operational Downtime: Early detection allows rapid response to restore critical automation triggers, scheduled tasks, or startup scripts, reducing downtime and operational disruption.

• Preventing Escalation of Attack: Identifying attempts to delete lifecycle triggers can alert defenders to broader malicious activities, enabling quick containment and remediation before further damage occurs.

• Reducing Incident Response Complexity: Timely detection simplifies incident response by preserving critical system artifacts and automation mechanisms, facilitating faster recovery and forensic analysis.

• Maintaining Regulatory Compliance and Trust: Preventing prolonged disruptions and data loss helps organizations maintain regulatory compliance, avoid financial penalties, and preserve customer trust.

Examples

Real-world examples illustrating the use of Lifecycle/Trigger Deletion include:

• NotPetya Ransomware Attack (2017):

  • Scenario: NotPetya malware deleted Windows Volume Shadow Copies and scheduled backup tasks to prevent data recovery, causing widespread permanent data loss.

  • Tools Used: Native Windows commands (vssadmin delete shadows, schtasks /delete).

  • Impact: Global operational disruptions, billions of dollars in damages, and permanent loss of critical business data.

• Olympic Destroyer Malware (2018 Winter Olympics):

  • Scenario: Attackers deleted scheduled tasks and manipulated startup scripts to disrupt IT systems during the Winter Olympics opening ceremony.

  • Tools Used: Windows command-line utilities, PowerShell scripts.

  • Impact: Temporary disruption of Olympic IT infrastructure, causing delays and confusion during the event.

• Shamoon Malware Attacks (2012, 2016, 2018):

  • Scenario: Shamoon malware deleted startup scripts, scheduled tasks, and master boot records (MBRs), rendering infected systems unusable and unrecoverable.

  • Tools Used: Custom malware, native OS commands.

  • Impact: Severe operational disruptions, permanent data loss, and extensive recovery efforts required for affected organizations.

• Cloud Infrastructure Attacks:

  • Scenario: Attackers compromising cloud environments delete automation triggers (AWS Lambda functions, Azure Automation Runbooks) responsible for security monitoring, backups, or remediation.

  • Tools Used: Cloud provider APIs, stolen credentials, malicious scripts.

  • Impact: Extended downtime, security blind spots, and increased difficulty in incident response and recovery.

These examples underscore the severe consequences of Lifecycle/Trigger Deletion and highlight the importance of robust detection and prevention strategies.