File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include del on Windows and rm or unlink on Linux and macOS.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) | Attack Pattern | Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) | Attack Pattern | 1 |