1. Home
  2. ATT&CK Techniques
  3. T1070.004 File Deletion

T1070.004 File Deletion Mappings

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology CrowdStrike AMS T1070.004 File Deletion
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of file deletion exploits. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. File deletion exploits involve adversaries using malicious techniques to delete critical files or system components, often to disrupt operations or cover their tracks after executing an attack. These actions may include removing logs, system configurations, or other files vital to the operation of security defenses. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors that could indicate unauthorized file deletion actions. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster, more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as attempts to delete critical files or cover up traces of malicious activity, providing a proactive defense against attackers trying to evade detection through file manipulation.
References
  1. https://attack.mitre.org/techniques/T1204/002/
  2. https://www.crowdstrike.com/en-us/blog/falcon-enhances-fileless-attack-detection-with-accelerated-memory-scanning/
  3. https://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/advancing-intels-security-posture-with-crowdstrike.html
  4. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-09/intel-crowdstrike-solution-brief.pdf