Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
58 lines (46 sloc) 1.8 KB

T1107 - File Deletion

Description from ATT&CK

Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)

How to Detect

Simulating the attack

rm -rf test1.text
rm -f test1.txt
shred -u test1.txt

Data sources required to detect the attack

auditlogs (audit.rules)

bash_history logs

Splunk Queries to detect the attack

auditlogs(syscalls)

index=linux sourcetype=linux_audit syscall=59 comm=shred | table host,auid,msg
index=linux sourcetype=linux_audit type=execve shred .bash_history | table host,msg,a0,a2
index=linux sourcetype=linux_audit syscall=263 | table host,auid,uid,eid,exe
index=linux sourcetype=linux_audit syscall=82 exe=/usr/bin/shred | table host,auid,uid,eid,exe

Audit-rules

-a always,exit -F arch=b64 -S execve,execveat -F auid>=1000 -F auid!=-1 -F key=program_execution

-w /home/ec2-user/.bash_history -p rwa -k bash_history_changes

bash_history

index=linux sourcetype="bash_history" bash_command="rm *"
index=linux sourcetype="bash_history" bash_command="shred -u *"

Caution/Caveate

Note:

You can’t perform that action at this time.