security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1107/T1107.md
T
CircleCI Atomic Red Team doc generator 65fd85dd3c Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00

238 lines
6.0 KiB
Markdown
Raw Blame History

# T1107 - File Deletion
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1107)
<blockquote>Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)
Detection: It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.
Platforms: Linux, Windows, macOS
Data Sources: Binary file metadata, File monitoring, Process command-line parameters
Defense Bypassed: Host forensic analysis
Permissions Required: User
Contributors: Walker Johnson</blockquote>
## Atomic Tests
- [Atomic Test #1 - Victim configuration](#atomic-test-1---victim-configuration)
- [Atomic Test #2 - Delete a single file](#atomic-test-2---delete-a-single-file)
- [Atomic Test #3 - Delete an entire folder](#atomic-test-3---delete-an-entire-folder)
- [Atomic Test #4 - Overwrite and delete a file with shred](#atomic-test-4---overwrite-and-delete-a-file-with-shred)
- [Atomic Test #5 - Victim configuration](#atomic-test-5---victim-configuration)
- [Atomic Test #6 - Delete a single file - cmd](#atomic-test-6---delete-a-single-file---cmd)
- [Atomic Test #7 - Delete an entire folder - cmd](#atomic-test-7---delete-an-entire-folder---cmd)
- [Atomic Test #8 - Delete a single file - ps](#atomic-test-8---delete-a-single-file---ps)
- [Atomic Test #9 - Delete an entire folder - ps](#atomic-test-9---delete-an-entire-folder---ps)
- [Atomic Test #10 - Delete VSS - vssadmin](#atomic-test-10---delete-vss---vssadmin)
- [Atomic Test #11 - Delete VSS - wmic](#atomic-test-11---delete-vss---wmic)
- [Atomic Test #12 - bcdedit](#atomic-test-12---bcdedit)
- [Atomic Test #13 - wbadmin](#atomic-test-13---wbadmin)
<br/>
## Atomic Test #1 - Victim configuration
Create a temporary directory and several files on the victim system for later deletion
**Supported Platforms:** Linux
#### Run it with `sh`!
```
mkdir /tmp/victim-files
cd /tmp/victim-files
touch a b c d e f g
echo "This file will be shredded" > /tmp/victim-shred.txt
```
<br/>
<br/>
## Atomic Test #2 - Delete a single file
Delete a single file from the temporary directory
**Supported Platforms:** Linux
#### Run it with `sh`!
```
rm -f /tmp/victim-files/a
```
<br/>
<br/>
## Atomic Test #3 - Delete an entire folder
Recursively delete the temporary directory and all files contained within it
**Supported Platforms:** Linux
#### Run it with `sh`!
```
rm -rf /tmp/victim-files
```
<br/>
<br/>
## Atomic Test #4 - Overwrite and delete a file with shred
Use the `shred` command to overwrite the temporary file and then delete it
**Supported Platforms:** Linux
#### Run it with `sh`!
```
shred -u /tmp/victim-shred.txt
```
<br/>
<br/>
## Atomic Test #5 - Victim configuration
Create a temporary directory and several files on the victim system for later deletion
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
mkdir %TEMP%\victim-files-cmd
cd %TEMP%\victim-files-cmd
type nul > a
type nul > b
type nul > c
type nul > d
type nul > e
type nul > f
type nul > g
mkdir %TEMP%\victim-files-ps
cd %TEMP%\victim-files-ps
type nul > a
type nul > b
type nul > c
type nul > d
type nul > e
type nul > f
type nul > g
```
<br/>
<br/>
## Atomic Test #6 - Delete a single file - cmd
Delete a single file from the temporary directory using cmd.exe
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
del /f %TEMP%\victim-files-cmd\a
```
<br/>
<br/>
## Atomic Test #7 - Delete an entire folder - cmd
Recursively delete the temporary directory and all files contained within it using cmd.exe
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
del /f /S %TEMP%\victim-files-cmd
```
<br/>
<br/>
## Atomic Test #8 - Delete a single file - ps
Delete a single file from the temporary directory using Powershell
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
Remove-Item -path %TEMP%\victim-files-ps\a
```
<br/>
<br/>
## Atomic Test #9 - Delete an entire folder - ps
Recursively delete the temporary directory and all files contained within it using Powershell
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
Remove-Item -path %TEMP%\victim-files-ps -recurse
```
<br/>
<br/>
## Atomic Test #10 - Delete VSS - vssadmin
Delete all volume shadow copies with vssadmin.exe
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
vssadmin.exe Delete Shadows /All /Quiet
```
<br/>
<br/>
## Atomic Test #11 - Delete VSS - wmic
Delete all volume shadow copies with wmic
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
wmic shadowcopy delete
```
<br/>
<br/>
## Atomic Test #12 - bcdedit
xxx
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
```
<br/>
<br/>
## Atomic Test #13 - wbadmin
xxx
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
wbdadmin delete catalog -quiet
```
<br/>
Reference in New Issue View Git Blame Copy Permalink