CircleCI Atomic Red Team doc generator
6.9 KiB
T1107 - File Deletion
Description from ATT&CK
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)
Atomic Tests
Atomic Test #1 - Delete a single file - Linux/macOS
Delete a single file from the temporary directory
Supported Platforms: Linux, macOS
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_delete | Path of file to delete | Path | /tmp/victim-files/a |
Run it with sh!
rm -f #{file_to_delete}
Atomic Test #2 - Delete an entire folder - Linux/macOS
Recursively delete the temporary directory and all files contained within it
Supported Platforms: Linux, macOS
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| folder_to_delete | Path of folder to delete | Path | /tmp/victim-files |
Run it with sh!
rm -rf #{folder_to_delete}
Atomic Test #3 - Overwrite and delete a file with shred
Use the shred command to overwrite the temporary file and then delete it
Supported Platforms: Linux
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt |
Run it with sh!
shred -u #{file_to_shred}
Atomic Test #4 - Delete a single file - Windows cmd
Delete a single file from the temporary directory using cmd.exe
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-cmd\a |
Run it with command_prompt!
del /f #{file_to_delete}
Atomic Test #5 - Delete an entire folder - Windows cmd
Recursively delete the temporary directory and all files contained within it using cmd.exe
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-cmd |
Run it with command_prompt!
del /f /S #{folder_to_delete}
Atomic Test #6 - Delete a single file - Windows PowerShell
Delete a single file from the temporary directory using Powershell
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-ps\a |
Run it with powershell!
Remove-Item -path "#{file_to_delete}"
Atomic Test #7 - Delete an entire folder - Windows PowerShell
Recursively delete the temporary directory and all files contained within it using Powershell
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-ps |
Run it with powershell!
Remove-Item -path "#{folder_to_delete}" -recurse
Atomic Test #8 - Delete VSS - vssadmin
Delete all volume shadow copies with vssadmin.exe
Supported Platforms: Windows
Run it with command_prompt! Elevation Required (e.g. root or admin)
vssadmin.exe Delete Shadows /All /Quiet
Atomic Test #9 - Delete VSS - wmic
Delete all volume shadow copies with wmic
Supported Platforms: Windows
Run it with command_prompt! Elevation Required (e.g. root or admin)
wmic shadowcopy delete
Atomic Test #10 - bcdedit
This test leverages bcdedit to remove boot-time recovery measures.
Supported Platforms: Windows
Run it with command_prompt!
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
Atomic Test #11 - wbadmin
This test deletes Windows Backup catalogs.
Supported Platforms: Windows
Run it with command_prompt! Elevation Required (e.g. root or admin)
wbadmin delete catalog -quiet
Atomic Test #12 - Delete Filesystem - Linux
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
Supported Platforms: Linux, CentOS, Ubuntu
Run it with bash!
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
Atomic Test #13 - Delete-PrefetchFile
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique.
Supported Platforms: Windows
Run it with powershell! Elevation Required (e.g. root or admin)
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])