Find sigma rule
Attack: Indicator Removal on Host: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include del
on Windows and rm
or unlink
on Linux and macOS.
MITRE
Tactic
- defense-evasion
technique
- T1070.004
Test : Delete Prefetch File
OS
- windows
Description:
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count
before and after the test to verify that the number of prefetch files decreases by 1.
Executor
powershell
Sigma Rule
-
posh_ps_remove_item_path.yml (id: b8af5f36-1361-4ebe-9e76-e36128d947bf)
-
file_delete_win_delete_prefetch.yml (id: 0a1f9d29-6465-4776-b091-7f43b26e4c89)