Indicator Removal: File Deletion (T1070.004)

Tactic: Stealth · Platforms: ESXi, Linux, macOS, Windows

The interactive view maps 1 detection strategy, 47 threat groups, 248 software entries, 13 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Indicator Removal (T1070).

Overview

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples of built-in Command and Scripting Interpreter functions include del on Windows, rm or unlink on Linux and macOS, and `rm` on ESXi.

Explore