1. Home
  2. ATT&CK Techniques
  3. T1070.004 File Deletion

T1070.004 File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.

View in MITRE ATT&CK®

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1070.004 File Deletion
Comments
This control may detect suspicious file cleanup commands and shadow copy deletion activity. The following alerts may be generated: "Detected suspicious file cleanup commands", "Suspicious Volume Shadow Copy Activity".
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1070.004 File Deletion
Comments
Google Security Ops is able to trigger an alert based off system processes that indicate when backup catalogs are deleted from a windows machine. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/backup_catalog_deleted.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_inspector Amazon Inspector technique_scores T1070.004 File Deletion
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References