Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)
Detection: It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.
Platforms: Linux, Windows, macOS
Data Sources: Binary file metadata, File monitoring, Process command-line parameters
Defense Bypassed: Host forensic analysis
Permissions Required: User
Contributors: Walker Johnson
Create a temporary directory and several files on the victim system for later deletion
Supported Platforms: Linux
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
echo "This file will be shredded" > /tmp/victim-shred.txt
Delete a single file from the temporary directory
Supported Platforms: Linux
rm -f /tmp/victim-files/a
Recursively delete the temporary directory and all files contained within it
Supported Platforms: Linux
rm -rf /tmp/victim-files
Use the shred command to overwrite the temporary file and then delete it
Supported Platforms: Linux
shred -u /tmp/victim-shred.txt
Create a temporary directory and several files on the victim system for later deletion
Supported Platforms: Windows
mkdir %TEMP%\victim-files-cmd
cd %TEMP%\victim-files-cmd
type nul > a
type nul > b
type nul > c
type nul > d
type nul > e
type nul > f
type nul > g
mkdir %TEMP%\victim-files-ps
cd %TEMP%\victim-files-ps
type nul > a
type nul > b
type nul > c
type nul > d
type nul > e
type nul > f
type nul > g
Delete a single file from the temporary directory using cmd.exe
Supported Platforms: Windows
del /f %TEMP%\victim-files-cmd\a
Recursively delete the temporary directory and all files contained within it using cmd.exe
Supported Platforms: Windows
del /f /S %TEMP%\victim-files-cmd
Delete a single file from the temporary directory using Powershell
Supported Platforms: Windows
Remove-Item -path %TEMP%\victim-files-ps\a
Recursively delete the temporary directory and all files contained within it using Powershell
Supported Platforms: Windows
Remove-Item -path %TEMP%\victim-files-ps -recurse
Delete all volume shadow copies with vssadmin.exe
Supported Platforms: Windows
vssadmin.exe Delete Shadows /All /Quiet
Delete all volume shadow copies with wmic
Supported Platforms: Windows
wmic shadowcopy delete
xxx
Supported Platforms: Windows
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
xxx
Supported Platforms: Windows
wbdadmin delete catalog -quiet