T1070.004 · defense-evasion · 43 actors · 11 correlated reports

File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples of built-in Command and Scripting Interpreter functions include del on Windows and rm or unlink on Linux and macOS.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.

Observed actors

APT38
G0082APT3
G0022Kimsuky
G0094Volt Typhoon
G1017Patchwork
G0040APT41
G0096Dragonfly
G0035Evilnum
G0120menuPass
G0045APT32
G0050FIN6
G0037Gamaredon Group
G0047TeamTNT
G0139Sandworm Team
G0034APT18
G0026Mustang Panda
G0129Rocke
G0106APT39
G0087OilRig
G0049Tropic Trooper
G0081Aquatic Panda
G0143The White Company
G0089Group5
G0043RedCurl
G1039FIN5
G0053APT29
G0016Chimera
G0114BRONZE BUTLER
G0060TEMP.Veles
G0088Ember Bear
G1003APT28
G0007Metador
G1013APT5
G1023Lazarus Group
G0032INC Ransom
G1032Silence
G0091Cobalt Group
G0080Wizard Spider
G0102Play
G1040Magic Hound
G0059Threat Group-3390
G0027FIN10
G0051FIN8
G0061

Correlated CTI and IR reports

APT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mentionCTI Research Sandworm APT44
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research