# File Deletion

File Deletion
Technique
ID T1107
Tactic Defense Evasion
Platform Linux, macOS, Windows
Permissions Required User
Data Sources File monitoring, Binary file metadata, Process command-line parameters
Defense Bypassed Host forensic analysis
Contributors Walker Johnson

Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools.1

## Examples

• APT18 actors deleted tools and batch files from victim systems.2
• APT28 has deleted files from the system via the NSFileManager:removeFileAtPath method 3.
• APT3 has a tool that can delete files.4
• APT32 has cleared select event log entries.5
• APT34 has deleted initial drop files from the staging directory.6
• The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.7
• Dragonfly deleted a file immediately after executing it on a victim host.8
• FIN10 has used batch scripts and scheduled tasks to delete critical system files.9
• FIN5 uses SDelete to clean up the environment and attempt to prevent detection.10
• Malware used by Group5 is capable of remotely deleting files from victims.11
• Lazarus Group malware contains "suicide scripts" to delete malware binaries from the victim. It also uses secure file deletion to delete files from the victim.12
• Magic Hound malware can delete files.13
• OilRig's TwoFace Web shell uses del to delete a text file of passwords after reading it.14
• Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.15
• ADVSTORESHELL can delete files and directories.16
• BBSRAT can delete files and directories.17
• BLACKCOFFEE has the capability to delete files.18
• Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.19
• BlackEnergy 2 contains a "Destroy" plug-in that destroys data stored on victim hard drives by overwriting file contents.20
• Recent versions of Cherry Picker delete files and registry keys created by the malware.21
• Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.22
• FALLCHILL can delete malware and associated artifacts from the victim.23
• Gazer has commands to delete files and persistence mechanisms from the victim.2425
• H1N1 deletes shadow copies from the victim.26
• HALFBAKED can delete a specified file.27
• HTTPBrowser deletes its original installer file once installation is complete.28
• Hi-Zor deletes its RAT installer file as it executes its DLL payload file.29
• The JHUHUGIT dropper deletes itself from the victim.30
• The Komplex trojan supports file deletion.31
• Misdat is capable of deleting the backdoor file.32
• MoonWind can delete itself or specified files.33
• PowerDuke has a command to write random data across a file and delete it.34
• Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.35
• RTM can delete all files created during its execution.36
• Reaver deletes the original dropped file from the victim.37
• RedLeaves can delete specified files.38
• Remsec is capable of deleting files on the victim.3940 It also securely removes itself after collecting and exfiltrating data.41
• Some Sakula samples use cmd.exe to delete temporary files.42
• SeaDuke can securely delete files, including deleting itself from the victim.43
• Shamoon attempts to overwrite operating system files with image files.4445
• TDTESS creates then deletes log files during installation of itself as a service.46
• USBStealer has several commands to delete files associated with the malware from the victim.47
• WINDSHIELD is capable of file deletion along with other file system interaction.5
• Wingbird deletes its payload along with the payload's parent process after it finishes copying files.48
• XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.3
• cmd can be used to delete files from the file system.49
• gh0st RAT is able to delete files.50
• pngdowner deletes content from C2 communications that was saved to the user's temporary directory.51

## Mitigation

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting52 tools like AppLocker5354 or Software Restriction Policies55 where appropriate.56

## Detection

It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.