Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)
Delete a single file from the temporary directory
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_delete | Path of file to delete | Path | /tmp/victim-files/a |
rm -f #{file_to_delete}Recursively delete the temporary directory and all files contained within it
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| folder_to_delete | Path of folder to delete | Path | /tmp/victim-files |
rm -rf #{folder_to_delete}Use the shred command to overwrite the temporary file and then delete it
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt |
shred -u #{file_to_shred}Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1551.004 |
del /f #{file_to_delete}IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) echo deleteme_T1551.004 >> #{file_to_delete}Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1551.004 |
rmdir /s /q #{folder_to_delete}IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) mkdir #{folder_to_delete}Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_T1551.004 |
Remove-Item -path #{file_to_delete}if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} New-Item -Path #{file_to_delete} | Out-NullRecursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_folder_T1551.004 |
Remove-Item -Path #{folder_to_delete} -Recurseif (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} New-Item -Path #{folder_to_delete} -Type Directory | Out-NullThis test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
Supported Platforms: Linux
rm -rf / --no-preserve-root > /dev/null 2> /dev/nullDelete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch*.pf" | Measure-Object).Count" before and after the test to verify that the number of prefetch files decreases by 1.
Supported Platforms: Windows
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
https://twitter.com/SBousseaden/status/1197524463304290305?s=20
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| teamviewer_log_file | Teamviewer log file to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\TeamViewer_54.log |
Remove-Item #{teamviewer_log_file}if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} New-Item -Path #{teamviewer_log_file} | Out-Null