cti/enterprise-attack/attack-pattern/attack-pattern--56fca983-1cf1-4fd1-bda0-5e170a37ab59.json

{
    "type": "bundle",
    "id": "bundle--370f7815-579c-48bb-9037-5674a0cfb640",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--56fca983-1cf1-4fd1-bda0-5e170a37ab59",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-05-31T21:31:17.915Z",
            "modified": "2018-01-17T12:56:55.080Z",
            "name": "File Deletion",
            "description": "Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)\n\nDetection: It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Binary file metadata, File monitoring, Process command-line parameters\n\nDefense Bypassed: Host forensic analysis\n\nPermissions Required: User\n\nContributors: Walker Johnson",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "defense-evasion"
                }
            ],
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/wiki/Technique/T1107",
                    "external_id": "T1107"
                },
                {
                    "source_name": "Trend Micro APT Attack Tools",
                    "description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.",
                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_contributors": [
                "Walker Johnson"
            ],
            "x_mitre_data_sources": [
                "Binary file metadata",
                "File monitoring",
                "Process command-line parameters"
            ],
            "x_mitre_defense_bypassed": [
                "Host forensic analysis"
            ],
            "x_mitre_permissions_required": [
                "User"
            ],
            "x_mitre_platforms": [
                "Linux",
                "Windows",
                "macOS"
            ]
        }
    ]
}