Skip to content

Hide Navigation Hide TOC

File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8)

Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.

This data component can be collected through the following measures:

Windows

  • Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes.
  • Windows Event Log: Enable "Object Access" auditing to monitor file deletions.
  • PowerShell: Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -like '*DELETE*'}

Linux

  • Auditd: Use audit rules to capture file deletion events: auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion
  • Query logs: ausearch -k file_deletion
  • Inotify: Use inotifywait to monitor file deletions: inotifywait -m /path/to/watch -e delete

macOS

  • Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities.
  • FSEvents: Track file deletion activities in real-time: fs_usage | grep unlink

SIEM Integration

  • Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events.
Cluster A Galaxy A Cluster B Galaxy B Level
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
File Deletion (e905dad2-00d6-477c-97e8-800427abd0e8) mitre-data-component Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern 2
Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 2