ID | Name |
---|---|
T1070.001 | Clear Windows Event Logs |
T1070.002 | Clear Linux or Mac System Logs |
T1070.003 | Clear Command History |
T1070.004 | File Deletion |
T1070.005 | Network Share Connection Removal |
T1070.006 | Timestomp |
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.[1] Examples of built-in Command and Scripting Interpreter functions include del
on Windows and rm
or unlink
on Linux and macOS.
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
ADVSTORESHELL can delete files and directories.[2] |
S0504 | Anchor |
Anchor can self delete its dropper after the malware is successfully deployed.[3] |
S0584 | AppleJeus | |
S0622 | AppleSeed |
AppleSeed can delete files from a compromised host after they are exfiltrated.[5] |
G0026 | APT18 |
APT18 actors deleted tools and batch files from victim systems.[6] |
G0007 | APT28 |
APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[7] |
G0016 | APT29 |
APT29 routinely removed their tools, including custom backdoors, once remote access was achieved. APT29 has also used SDelete to remove artifacts from victims.[8][9] |
G0022 | APT3 | |
G0050 | APT32 | |
G0082 | APT38 |
APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.[12][13] |
G0087 | APT39 |
APT39 has used malware to delete files after they are deployed on a compromised host.[14] |
G0096 | APT41 | |
G0143 | Aquatic Panda |
Aquatic Panda has deleted malicious executables from compromised machines.[16] |
S0456 | Aria-body |
Aria-body has the ability to delete files and directories on compromised hosts.[17] |
S0438 | Attor |
Attor’s plugin deletes the collected files and log files after exfiltration.[18] |
S0347 | AuditCred | |
S0344 | Azorult | |
S0414 | BabyShark |
BabyShark has cleaned up all files associated with the secondary payload execution.[21] |
S0475 | BackConfig |
BackConfig has the ability to remove files and folders related to previous infections.[22] |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.[23] |
S0234 | Bandook | |
S0239 | Bankshot |
Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.[25] |
S0534 | Bazar |
Bazar can delete its loader using a batch file in the Windows temporary folder.[26] |
S0127 | BBSRAT | |
S0268 | Bisonal |
Bisonal will delete its dropper and VBS scripts from the victim’s machine.[28][29][30] |
S0069 | BLACKCOFFEE |
BLACKCOFFEE has the capability to delete files.[31] |
S0520 | BLINDINGCAN |
BLINDINGCAN has deleted itself and associated artifacts from victim machines.[32] |
S0657 | BLUELIGHT | |
G0060 | BRONZE BUTLER |
The BRONZE BUTLER uploader or malware the uploader uses |
S0274 | Calisto |
Calisto has the capability to use |
S0030 | Carbanak | |
S0348 | Cardinal RAT |
Cardinal RAT can uninstall itself, including deleting its executable.[37] |
S0462 | CARROTBAT |
CARROTBAT has the ability to delete downloaded files from a compromised host.[38] |
S0674 | CharmPower |
CharmPower can delete created files from a compromised system.[39] |
S0107 | Cherry Picker |
Recent versions of Cherry Picker delete files and registry keys created by the malware.[40] |
G0114 | Chimera | |
S0106 | cmd | |
G0080 | Cobalt Group |
Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.[43] |
S0115 | Crimson |
Crimson has the ability to delete files from a compromised host.[44][45] |
S0498 | Cryptoistic |
Cryptoistic has the ability delete files from a compromised host.[46] |
S0527 | CSPY Downloader |
CSPY Downloader has the ability to self delete.[47] |
S0625 | Cuba |
Cuba can use the command |
S0673 | DarkWatchman |
DarkWatchman has been observed deleting its original launcher after installation.[49] |
S0354 | Denis |
Denis has a command to delete files from the victim’s machine.[50][51] |
S0021 | Derusbi |
Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.[52][53] |
G0035 | Dragonfly |
Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.[54] |
S0502 | Drovorub |
Drovorub can delete specific files from a compromised host.[55] |
S0567 | Dtrack | |
S0062 | DustySky |
DustySky can delete files it creates from the infected system.[57] |
S0593 | ECCENTRICBANDWAGON |
ECCENTRICBANDWAGON can delete log files generated from the malware stored at |
S0081 | Elise |
Elise is capable of launching a remote shell on the host to delete itself.[59] |
S0091 | Epic | |
S0396 | EvilBunny |
EvilBunny has deleted the initial dropper after running through the environment checks.[61] |
G0120 | Evilnum | |
S0401 | Exaramel for Linux |
Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.[63] |
S0181 | FALLCHILL |
FALLCHILL can delete malware and associated artifacts from the victim.[64] |
S0512 | FatDuke | |
S0267 | FELIXROOT |
FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[66] |
S0679 | Ferocious | |
G0051 | FIN10 |
FIN10 has used batch scripts and scheduled tasks to delete critical system files.[68] |
G0053 | FIN5 |
FIN5 uses SDelete to clean up the environment and attempt to prevent detection.[69] |
G0037 | FIN6 | |
G0061 | FIN8 |
FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.[71] |
S0277 | FruitFly | |
S0410 | Fysbis | |
G0047 | Gamaredon Group |
Gamaredon Group tools can delete files used during an operation.[74][75][76] |
S0168 | Gazer |
Gazer has commands to delete files and persistence mechanisms from the victim.[77][78] |
S0666 | Gelsemium |
Gelsemium can delete its dropper component from the targeted system.[79] |
S0032 | gh0st RAT | |
S0249 | Gold Dragon |
Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.[82] |
S0493 | GoldenSpy |
GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.[83] |
S0531 | Grandoreiro |
Grandoreiro can delete .LNK files created in the Startup folder.[84] |
S0690 | Green Lambert |
Green Lambert can delete the original executable after initial installation in addition to unused functions.[85][86] |
S0342 | GreyEnergy |
GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.[87] |
S0632 | GrimAgent |
GrimAgent can delete old binaries on a compromised host.[88] |
G0043 | Group5 |
Malware used by Group5 is capable of remotely deleting files from victims.[89] |
S0561 | GuLoader |
GuLoader can delete its executable from the |
S0151 | HALFBAKED | |
S0499 | Hancitor | |
S0391 | HAWKBALL | |
S0697 | HermeticWiper |
HermeticWiper has the ability to overwrite its own file with random bites.[94][95] |
S0087 | Hi-Zor |
Hi-Zor deletes its RAT installer file as it executes its DLL payload file.[96] |
S0601 | Hildegard | |
G0072 | Honeybee |
Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.[98] |
S0431 | HotCroissant |
HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.[99] |
S0070 | HTTPBrowser |
HTTPBrowser deletes its original installer file once installation is complete.[100] |
S0203 | Hydraq |
Hydraq creates a backdoor through which remote attackers can delete files.[101][102] |
S0398 | HyperBro | |
S0434 | Imminent Monitor |
Imminent Monitor has deleted files related to its dynamic debugger feature.[104] |
S0259 | InnaputRAT |
InnaputRAT has a command to delete files.[105] |
S0260 | InvisiMole |
InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.[106][107] |
S0015 | Ixeshe |
Ixeshe has a command to delete a file from the machine.[108] |
S0044 | JHUHUGIT |
The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.[109][110] |
S0201 | JPIN |
JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.[111] |
S0283 | jRAT |
jRAT has a function to delete files from the victim’s machine.[112] |
S0265 | Kazuar | |
S0271 | KEYMARBLE |
KEYMARBLE has the capability to delete files off the victim’s machine.[114] |
S0607 | KillDisk | |
G0094 | Kimsuky |
Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.[116][117][118] |
S0437 | Kivars |
Kivars has the ability to uninstall malware from the infected host.[119] |
S0162 | Komplex | |
S0356 | KONNI | |
G0032 | Lazarus Group |
Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.[122][123] |
S0395 | LightNeuron |
LightNeuron has a function to delete files.[124] |
S0211 | Linfo |
Linfo creates a backdoor through which remote attackers can delete files.[125] |
S0513 | LiteDuke |
LiteDuke can securely delete files by first writing random data to the file.[65] |
S0372 | LockerGoga |
LockerGoga has been observed deleting its original launcher after execution.[126] |
S0447 | Lokibot |
Lokibot will delete its dropped files after bypassing UAC.[127] |
S0582 | LookBack |
LookBack removes itself after execution and can delete files on the system.[128] |
S0451 | LoudMiner | |
S0409 | Machete |
Once a file is uploaded, Machete will delete it from the machine.[130] |
S0282 | MacSpy | |
G0059 | Magic Hound |
Magic Hound has deleted and overwrote files to cover tracks.[132][133] |
G0045 | menuPass |
A menuPass macro deletes files after it has decoded and decompressed them.[134][135] |
S0443 | MESSAGETAP |
Once loaded into memory, MESSAGETAP deletes the keyword_parm.txt and parm.txt configuration files from disk. [136] |
S0455 | Metamorfo |
Metamorfo has deleted itself from the system after execution.[137][138] |
S0688 | Meteor |
Meteor will delete the folder containing malicious scripts if it detects the hostname as |
S0083 | Misdat | |
S0149 | MoonWind | |
S0284 | More_eggs | |
S0256 | Mosquito | |
S0233 | MURKYTOP | |
G0129 | Mustang Panda |
Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[144] |
S0228 | NanHaiShu |
NanHaiShu launches a script to delete their original decoy file to cover tracks.[145] |
S0630 | Nebulae |
Nebulae has the ability to delete files and directories.[146] |
S0385 | njRAT | |
S0353 | NOKKI | |
S0346 | OceanSalt | |
G0049 | OilRig |
OilRig has deleted files associated with their payload after execution.[151][152] |
S0439 | Okrum |
Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.[153] |
S0264 | OopsIE |
OopsIE has the capability to delete files and scripts from the victim's machine.[154] |
G0116 | Operation Wocao |
Operation Wocao has deleted logs and executable files used during an intrusion.[155] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.[156][157] |
S0598 | P.A.S. Webshell |
P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.[63] |
S0208 | Pasam |
Pasam creates a backdoor through which remote attackers can delete files.[158] |
G0040 | Patchwork |
Patchwork removed certain files and replaced them so they could not be retrieved.[159] |
S0556 | Pay2Key | |
S0587 | Penquin |
Penquin can delete downloaded executables after running them.[161] |
S0517 | Pillowmint |
Pillowmint has deleted the filepath |
S0435 | PLEAD |
PLEAD has the ability to delete files on the compromised host.[119] |
S0067 | pngdowner |
pngdowner deletes content from C2 communications that was saved to the user's temporary directory.[163] |
S0428 | PoetRAT |
PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.[164] |
S0453 | Pony |
Pony has used scripts to delete itself after execution.[165] |
S0139 | PowerDuke |
PowerDuke has a command to write random data across a file and delete it.[166] |
S0441 | PowerShower |
PowerShower has the ability to remove all files created during the dropper process.[167] |
S0223 | POWERSTATS |
POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.[168] |
S0113 | Prikormka |
After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.[169] |
S0654 | ProLock |
ProLock can remove files containing its payload after they are executed.[170] |
S0279 | Proton | |
S0238 | Proxysvc |
Proxysvc can delete files indicated by the attacker and remove itself from disk using a batch file.[123] |
S0147 | Pteranodon |
Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[171] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY can delete files written to disk.[71][172] |
S0583 | Pysa | |
S0650 | QakBot |
QakBot can delete folders and files including overwriting its executable with legitimate programs.[174][175][176][170] |
S0269 | QUADAGENT |
QUADAGENT has a command to delete its Registry key and scheduled task.[177] |
S0629 | RainyDay |
RainyDay has the ability to uninstall itself by deleting its service and files.[146] |
S0662 | RCSession | |
S0495 | RDAT |
RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system.[179] |
S0416 | RDFSNIFFER |
RDFSNIFFER has the capability of deleting local files.[180] |
S0172 | Reaver |
Reaver deletes the original dropped file from the victim.[181] |
S0153 | RedLeaves | |
S0125 | Remsec |
Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.[183][184][185] |
S0496 | REvil |
REvil can mark its binary code for deletion after reboot.[186] |
S0448 | Rising Sun |
Rising Sun can delete files specified by the C2.[187] |
G0106 | Rocke | |
S0240 | ROKRAT | |
S0148 | RTM |
RTM can delete all files created during its execution.[190][191] |
S0253 | RunningRAT |
RunningRAT contains code to delete files from the victim’s machine.[82] |
S0074 | Sakula |
Some Sakula samples use cmd.exe to delete temporary files.[192] |
S0370 | SamSam |
SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.[193] |
G0034 | Sandworm Team |
Sandworm Team has used backdoors that can delete files used in an attack from an infected system.[115][194] |
S0461 | SDBbot |
SDBbot has the ability to delete files from a compromised host.[195] |
S0195 | SDelete |
SDelete deletes data in a way that makes it unrecoverable.[1] |
S0053 | SeaDuke |
SeaDuke can securely delete files, including deleting itself from the victim.[196] |
S0345 | Seasalt | |
S0382 | ServHelper |
ServHelper has a module to delete itself from the infected machine.[198][199] |
S0444 | ShimRat |
ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.[200] |
S0589 | Sibot |
Sibot will delete itself if a certain server response is received.[201] |
G0091 | Silence |
Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.[202][203] |
S0692 | SILENTTRINITY |
SILENTTRINITY can remove files from the compromised host.[204] |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system.[205] |
S0615 | SombRAT |
SombRAT has the ability to run |
S0374 | SpeakUp |
SpeakUp deletes files to remove evidence on the machine. [207] |
S0390 | SQLRat |
SQLRat has used been observed deleting scripts once used.[208] |
S0380 | StoneDrill |
StoneDrill has been observed deleting the temporary files once they fulfill their task.[209] |
S0491 | StrongPity |
StrongPity can delete previously exfiltrated files from the compromised host.[210][211] |
S0603 | Stuxnet |
Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files.[212] |
S0559 | SUNBURST | |
S0562 | SUNSPOT |
Following the successful injection of SUNBURST, SUNSPOT deleted a temporary file it created named |
S0663 | SysUpdate |
SysUpdate can delete its configuration file from the targeted system.[215] |
S0011 | Taidoor |
Taidoor can use |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE can delete files from a compromised host.[217] |
S0164 | TDTESS |
TDTESS creates then deletes log files during installation of itself as a service.[218] |
G0139 | TeamTNT |
TeamTNT uses a payload that removes itself after running.[219] |
G0088 | TEMP.Veles |
TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.[220] |
G0089 | The White Company |
The White Company has the ability to delete its malware entirely from the target system.[221] |
G0027 | Threat Group-3390 |
Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.[222][223] |
S0094 | Trojan.Karagany |
Trojan.Karagany has used plugins with a self-delete capability.[224] |
G0081 | Tropic Trooper |
Tropic Trooper has deleted dropper files on an infected system using command scripts.[225] |
S0263 | TYPEFRAME | |
S0386 | Ursnif |
Ursnif has deleted data staged in tmp files after exfiltration.[227] |
S0136 | USBStealer |
USBStealer has several commands to delete files associated with the malware from the victim.[228] |
S0442 | VBShower |
VBShower has attempted to complicate forensic analysis by deleting all the files contained in |
S0257 | VERMIN | |
S0180 | Volgmer |
Volgmer can delete files and itself after infection to avoid analysis.[231] |
S0689 | WhisperGate |
WhisperGate can delete tools from a compromised host after execution.[232] |
S0155 | WINDSHIELD |
WINDSHIELD is capable of file deletion along with other file system interaction.[233] |
S0466 | WindTail |
WindTail has the ability to receive and execute a self-delete command.[234] |
S0176 | Wingbird |
Wingbird deletes its payload along with the payload's parent process after it finishes copying files.[235] |
S0141 | Winnti for Windows |
Winnti for Windows can delete the DLLs for its various components from a compromised host.[236] |
G0102 | Wizard Spider |
Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.[237] |
S0161 | XAgentOSX |
XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.[238] |
S0251 | Zebrocy |
Zebrocy has a command to delete files and directories.[239][240][241] |
S0330 | Zeus Panda |
Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track.[242] |
S0350 | zwShell |
zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.[243] |
S0412 | ZxShell |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Deletion |
It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.