Indicator Removal: File Deletion, Sub-technique T1070.004 - Enterprise (original) (raw)
2015 Ukraine Electric Power Attack
During the 2015 Ukraine Electric Power Attack, vba_macro.exe deletes itself after FONTCACHE.DAT, rundll32.exe, and the associated .lnk file is delivered. [2]
AcidPour includes a self-delete function where the malware deletes itself from disk after execution and program load into memory.[3]
ADVSTORESHELL can delete files and directories.[4]
Anchor can self delete its dropper after the malware is successfully deployed.[5]
Apostle writes batch scripts to disk, such as system.bat and remover.bat, that perform various anti-analysis and anti-forensic tasks, before finally deleting themselves at the end of execution. Apostle attempts to delete itself after encryption or wiping operations are complete and before shutting down the victim machine.[6]
AppleJeus has deleted the MSI file after installation.[7]
AppleSeed can delete files from a compromised host after they are exfiltrated.[8]
APT18 actors deleted tools and batch files from victim systems.[9]
APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[10]
APT29 has used SDelete to remove artifacts from victim networks.[11]
APT3 has a tool that can delete files.[12]
APT32's macOS backdoor can receive a "delete" command.[13]
APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.[14][15]
APT39 has used malware to delete files after they are deployed on a compromised host.[16]
APT41 deleted files from the system.[17][18]
APT41 DUST deleted various artifacts from victim systems following use.[19]
APT5 has deleted scripts and web shells to evade detection.[20][21]
Aquatic Panda has deleted malicious executables from compromised machines.[22][23]
ArcaneDoor included multiple instances of file deletion or removal during execution and other adversary actions.[24][25]
Aria-body has the ability to delete files and directories on compromised hosts.[26]
Attor’s plugin deletes the collected files and log files after exfiltration.[27]
AuditCred can delete files from the system.[28]
Azorult can delete files from victim machines.[29]
BabyShark has cleaned up all files associated with the secondary payload execution.[30]
BackConfig has the ability to remove files and folders related to previous infections.[31]
Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.[32]
BADHATCH has the ability to delete PowerShell scripts from a compromised machine.[33]
Bandook has a command to delete a file.[34]
Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.[35]
Bazar can delete its loader using a batch file in the Windows temporary folder.[36]
BBSRAT can delete files and directories.[37]
BeaverTail has deleted files from a compromised host after they were exfiltrated.[38]
Bisonal will delete its dropper and VBS scripts from the victim’s machine.[39][40][41]
BlackByte deleted ransomware executables post-encryption.[42][43][44][45]
BlackByte 2.0 Ransomware deletes itself following device encryption.[44]
BLACKCOFFEE has the capability to delete files.[46]
BLINDINGCAN has deleted itself and associated artifacts from victim machines.[47]
BLUELIGHT can uninstall itself.[48]
BOLDMOVE can remove files on victim systems.[49]
After initial setup, BPFDoor's original execution process deletes the dropped binary and exits.[50]
BRICKSTORM has the ability to delete files and directories.[51] BRICKSTORM also has deleted installer files after execution to reduce detection.[52][53][54]
The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.[55]
Bumblebee can uninstall its loader through the use of a Sdl command.[56]
During the C0032 campaign, TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.[57]
Calisto has the capability to use rm -rf to remove folders and files from the victim's machine.[58]
Carbanak has a command to delete files.[59]
Cardinal RAT can uninstall itself, including deleting its executable.[60]
CARROTBAT has the ability to delete downloaded files from a compromised host.[61]
ccf32 can delete files and folders from compromised machines.[62]
CharmPower can delete created files from a compromised system.[63]
Recent versions of Cherry Picker delete files and registry keys created by the malware.[64]
Chimera has performed file deletion to evade detection.[65]
cmd can be used to delete files from the file system.[66]
COATHANGER removes files from victim environments following use in multiple instances.[67]
Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.[68]
Contagious Interview has configured malware to remove archives used in collection activities following successful exfiltration.[38]
Crimson has the ability to delete files from a compromised host.[69][70][71]
Cryptoistic has the ability delete files from a compromised host.[72]
CSPY Downloader has the ability to self delete.[73]
Cuba can use the command cmd.exe /c del to delete its artifacts from the system.[74]
During Cutting Edge, threat actors deleted /tmp/test1.txt on compromised Ivanti Connect Secure VPNs which was used to hold stolen configuration and cache files.[75][76]
DanBot can delete its configuration file after installation.[77]
DarkGate has deleted its staging directories.[78]
DarkWatchman has been observed deleting its original launcher after installation.[79]
Denis has a command to delete files from the victim’s machine.[80][81]
Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.[82][83]
DOWNIISSA can delete files after download.[84]
Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.[85]
Drovorub can delete specific files from a compromised host.[86]
Dtrack can remove its persistence and delete itself.[87]
DustySky can delete files it creates from the infected system.[88]
ECCENTRICBANDWAGON can delete log files generated from the malware stored at C:\windows\temp\tmp0207.[89]
Elise is capable of launching a remote shell on the host to delete itself.[90]
Embargo has leveraged MDeployer to terminate the MS4Killer process, delete the decrypted payload files and a driver file dropped by MS4killer, and reboot the system.[91]
Ember Bear deletes files related to lateral movement to avoid detection.[92]
Epic has a command to delete a file from the machine.[93]
EvilBunny has deleted the initial dropper after running through the environment checks.[94]
Evilnum has deleted files used during infection.[95]
Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.[96]
Exbyte will self-delete if a hard-coded configuration file is not found.[44]
FALLCHILL can delete malware and associated artifacts from the victim.[97]
FatDuke can secure delete its DLL.[98]
FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[99]
Ferocious can delete files from a compromised host.[100]
FIN10 has used batch scripts and scheduled tasks to delete critical system files.[101]
FIN5 uses SDelete to clean up the environment and attempt to prevent detection.[102]
FIN6 has removed files from victim machines.[103]
FIN8 has deleted tmp and prefetch files during post compromise cleanup activities. FIN8 has also deleted PowerShell scripts to evade detection on compromised machines.[104][105]
FlawedAmmyy can execute batch scripts to delete files.[106]
FruitFly will delete files on the system.[107]
FunnyDream can delete files including its dropper component.[62]
Fysbis has the ability to delete files.[108]
Gamaredon Group tools can delete files used during an operation.[109][110][111][112]
Gazer has commands to delete files and persistence mechanisms from the victim.[113][114]
Gelsemium can delete its dropper component from the targeted system.[115]
gh0st RAT has the capability to to delete files.[116][117]
Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.[118]
GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.[119]
Gomir deletes its original executable and terminates its original process after creating a systemd service.[120]
Grandoreiro can delete .LNK files created in the Startup folder.[121]
Green Lambert can delete the original executable after initial installation in addition to unused functions.[122][123]
GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.[124]
GrimAgent can delete old binaries on a compromised host.[125]
Malware used by Group5 is capable of remotely deleting files from victims.[126]
GuLoader can delete its executable from the AppData\Local\Temp directory on the compromised host.[127]
HALFBAKED can delete a specified file.[128]
Hancitor has deleted files using the VBA kill function.[129]
HAWKBALL has the ability to delete files.[130]
HermeticWiper has the ability to overwrite its own file with random bites.[131][132]
Heyoka Backdoor has the ability to delete folders and files from a targeted system.[133]
Hi-Zor deletes its RAT installer file as it executes its DLL payload file.[134]
Hildegard has deleted scripts after execution.[135]
HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.[136]
HTTPBrowser deletes its original installer file once installation is complete.[137]
HTTPTroy can terminate its running process and then remove traces of itself through the die <COMMAND> command.[138]
Hydraq creates a backdoor through which remote attackers can delete files.[139][140]
HyperBro has the ability to delete a specified file.[141]
IceApple can delete files and directories from targeted systems.[142]
Imminent Monitor has deleted files related to its dynamic debugger feature.[143]
INC Ransom has uninstalled tools from compromised endpoints after use.[144]
InnaputRAT has a command to delete files.[145]
InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.[146][147]
IPsec Helper can delete itself when given the appropriate command.[6]
Ixeshe has a command to delete a file from the machine.[148]
The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.[149][150]
JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.[151]
jRAT has a function to delete files from the victim’s machine.[152]
Kevin can delete files created on the victim's machine.[154]
KEYMARBLE has the capability to delete files off the victim’s machine.[155]
KillDisk has the ability to quit and delete itself.[156]
Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.[157][158][159] Kimsuky has deleted files using the Remove-Item PowerShell commandlet to remove traces of executed payloads.[160] Kimsuky has also removed remnants of files used for delivery to include .log and .zip files.[161]
Kivars has the ability to uninstall malware from the infected host.[162]
The Komplex trojan supports file deletion.[163]
KV Botnet Activity removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.[165]
Latrodectus has the ability to delete itself.[166][167]
Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.[168][169]
LightNeuron has a function to delete files.[170]
Line Runner removes its initial ZIP delivery archive after processing the enclosed LUA script.[24]
Linfo creates a backdoor through which remote attackers can delete files.[171]
LiteDuke can securely delete files by first writing random data to the file.[98]
LockBit 2.0 can delete itself from disk after execution.[172][173][174]
LockBit 3.0 can delete itself from disk.[175][176]
LockerGoga has been observed deleting its original launcher after execution.[177]
LODEINFO can delete files to remove traces of activity from victim systems.[178]
Lokibot will delete its dropped files after bypassing UAC.[179]
LookBack removes itself after execution and can delete files on the system.[180]
LoudMiner deleted installation files after completion.[181]
LunarMail can delete the previously used staging directory and files on subsequent rounds of exfiltration and replace it with a new one.[182]
LunarWeb can self-delete from a compromised host if safety checks of C2 connectivity fail.[182]
Once a file is uploaded, Machete will delete it from the machine.[183]
MacMa can delete itself from the compromised computer.[184]
MacSpy deletes any temporary files it creates[185]
Magic Hound has deleted and overwrote files to cover tracks.[186][187][188]
MagicRAT can delete files on victim systems, including itself.[189]
Medusa Group has deleted previously installed tools.[190]
Medusa Ransomware has the ability to delete itself after execution.[191] Medusa Ransomware also has the ability to delete itself after execution through the command cmd /c ping localhost -n 3 > nul & del.[192][193]
A menuPass macro deletes files after it has decoded and decompressed them.[194][195]
Once loaded into memory, MESSAGETAP deletes the keyword_parm.txt and parm.txt configuration files from disk. [196]
Metador has quickly deleted cbd.exe from a compromised host following the successful deployment of their malware.[197]
metaMain has deleted collected items after uploading the content to its C2 server.[197][198]
Metamorfo has deleted itself from the system after execution.[199][200]
Meteor will delete the folder containing malicious scripts if it detects the hostname as PIS-APP, PIS-MOB, WSUSPROXY, or PIS-DB.[201]
Milan can delete files via C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q.[77]
MirrorFace has deleted directories containing malware and archives with files collected from the victim environment.[202][203][204][205]
Misdat is capable of deleting the backdoor file.[206]
MoonWind can delete itself or specified files.[207]
More_eggs can remove itself from a system.[68][208]
Mori can delete its DLL file and related files by Registry value.[209]
Mosquito deletes files using DeleteFileW API call.[210]
MultiLayer Wiper uses a batch file, remover.bat to delete malware artifacts and the batch file itself during execution.[211]
MURKYTOP has the capability to delete local files.[83]
Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[212][213]
NanHaiShu launches a script to delete their original decoy file to cover tracks.[214]
Nebulae has the ability to delete files and directories.[215]
NICECURL has a function to remove artifacts.[216]
Nightdoor can self-delete.[217]
njRAT is capable of deleting files.[218][219]
NOKKI can delete files to cover tracks.[220]
NOOPLDR can delete a file containing configuration instructions after use.[203]
OceanSalt can delete files from the system.[221]
ODAgent can delete payloads and files used to pass C2 commands from remotely hosted cloud accounts.[222]
OilRig has deleted files associated with their payload after execution.[223][224]
Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.[225]
OopsIE has the capability to delete files and scripts from the victim's machine.[226]
During Operation AkaiRyū, MirrorFace deleted delivered tools and files from compromised hosts.[227]
During Operation Digital Eye, threat actors deleted files delivered to compromised hosts, often named with the pattern do.* such as do.exe.[228]
During Operation Dream Job, Lazarus Group removed all previously delivered files from a compromised computer.[229]
During Operation Honeybee, the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files.[230]
During Operation Wocao, the threat actors consistently removed traces of their activity by first overwriting a file using /c cd /d c:\windows\temp\ & copy \\<IP ADDRESS>\c$\windows\system32\devmgr.dll \\<IP ADDRESS>\c$\windows\temp\LMAKSW.ps1 /y and then deleting the overwritten file using /c cd /d c:\windows\temp\ & del \\<IP ADDRESS>\c$\windows\temp\LMAKSW.ps1.[231]
OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.[232][233][234]
OutSteel can delete itself following the successful execution of a follow-on payload.[235]
P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.[96]
Pasam creates a backdoor through which remote attackers can delete files.[236]
Patchwork removed certain files and replaced them so they could not be retrieved.[237]
Pay2Key can remove its log file from disk.[238]
PcShare has deleted its files and components from a compromised host.[62]
Penquin can delete downloaded executables after running them.[239]
Pillowmint has deleted the filepath %APPDATA%\Intel\devmonsrv.exe.[240]
Play has used tools including Wevtutil to remove malicious files from compromised hosts.[241]
PLEAD has the ability to delete files on the compromised host.[162]
PlugX has the remove itself and other artifacts.[242][243]
pngdowner deletes content from C2 communications that was saved to the user's temporary directory.[244]
PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.[245]
Pony has used scripts to delete itself after execution.[246]
PowerDuke has a command to write random data across a file and delete it.[247]
PowerShower has the ability to remove all files created during the dropper process.[248]
POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.[249]
After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.[250]
ProLock can remove files containing its payload after they are executed.[251]
Proton removes all files in the /tmp directory.[107]
Proxysvc can delete files indicated by the attacker and remove itself from disk using a batch file.[169]
Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[252]
PUNCHBUGGY can delete files written to disk.[104][253]
PureCrypter can execute a PowerShell command to self-delete.[254]
PyDCrypt will remove all created artifacts such as dropped executables.[255]
Pysa has deleted batch files after execution. [256]
QakBot can delete folders and files including overwriting its executable with legitimate programs.[257][258][259][251]
Qilin can delete itself from infected hosts after execution.[260][261]
QUADAGENT has a command to delete its Registry key and scheduled task.[262]
Raccoon Stealer can remove files related to use and installation.[263]
RainyDay has the ability to uninstall itself by deleting its service and files.[215]
RansomHub has the ability to self-delete.[264]
Raspberry Robin can delete its initial delivery script from disk during execution.[265]
RCSession can remove files from a targeted system.[266]
RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system.[267]
RDFSNIFFER has the capability of deleting local files.[268]
Reaver deletes the original dropped file from the victim.[269]
RedCurl has deleted files after execution.[270][271][272]
RedLeaves can delete specified files.[273]
During RedPenguin, UNC3886 used malware capaple of removing scripts after execution.[274]
Remcos can delete files and folders from victim machines.[275]
Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.[276][277][278]
REvil can mark its binary code for deletion after reboot.[279]
Rising Sun can delete files and artifacts it creates.[280]
ROADSWEEP can use embedded scripts to remove itself from the infected host.[281][282]
Rocke has deleted files on infected machines.[283]
ROKRAT can request to delete files.[284]
RTM can delete all files created during its execution.[285][286]
RunningRAT contains code to delete files from the victim’s machine.[118]
S-Type has deleted files it has created on a compromised host.[206]
Saint Bot can run a batch script named del.bat to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.[235]
Some Sakula samples use cmd.exe to delete temporary files.[287]
SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.[288]
Sandworm Team has used backdoors that can delete files used in an attack from an infected system.[156][289][290]
SDBbot has the ability to delete files from a compromised host.[291]
SDelete deletes data in a way that makes it unrecoverable.[1]
SeaDuke can securely delete files, including deleting itself from the victim.[292]
Seasalt has a command to delete a specified file.[293]
ServHelper has a module to delete itself from the infected machine.[294][295]
Shark can delete files downloaded to the compromised host.[77]
ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.[296]
ShrinkLocker can delete itself depending on various checks performed during execution.[297]
Sibot will delete itself if a certain server response is received.[298]
Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.[299][300]
SILENTTRINITY can remove files from the compromised host.[301]
SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system.[302]
Solar has the ability to delete staged files after they are uploaded to C2.[303]
During the SolarWinds Compromise, APT29 routinely removed their tools, including custom backdoors, once remote access was achieved.[304]
SombRAT has the ability to run cancel or closeanddeletestorage to remove all files from storage and delete the storage temp file on a compromised host.[305]
SPAWNCHIMERA has deleted generated files and folders from victim devices.[306]
SpeakUp deletes files to remove evidence on the machine. [307]
SQLRat has used been observed deleting scripts once used.[308]
StealBit can self-delete its executable file from the compromised system.[309][172]
StoneDrill has been observed deleting the temporary files once they fulfill their task.[310]
StrifeWater can self delete to cover its tracks.[311]
StrongPity can delete previously exfiltrated files from the compromised host.[312][313]
Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files.[314]
SUNBURST had a command to delete files.[304][315]
Following the successful injection of SUNBURST, SUNSPOT deleted a temporary file it created named InventoryManager.bk after restoring the original SolarWinds Orion source code to the software library.[316]
SysUpdate can delete its configuration file from the targeted system.[317]
Taidoor can use DeleteFileA to remove files from infected hosts.[318]
TAINTEDSCRIBE can delete files from a compromised host.[319]
TDTESS creates then deletes log files during installation of itself as a service.[320]
TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.[321][322]
The White Company has the ability to delete its malware entirely from the target system.[323]
Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.[324][325]
TONESHELL has deleted payload files received from the C2 server.[326]
TRAILBLAZE has the ability to delete temporary files and contents in specified directories to cover its tracks.[327][328]
Trojan.Karagany has used plugins with a self-delete capability.[329]
Troll Stealer creates and can execute a BAT script that will delete the malware.[330]
Tropic Trooper has deleted dropper files on an infected system using command scripts.[331]
TYPEFRAME can delete files off the system.[332]
UNC3886 has used the the esxcli command line to remove files created by malicious vSphere Installation Bundles from disk.[333][334]
UPSTYLE removes bootstrap.min.css after parsing command and control instructions, restoring the file to its original state.[335]
Uroburos can run a Clear Agents Track command on an infected machine to delete Uroburos-related logs.[336]
Ursnif has deleted data staged in tmp files after exfiltration.[337]
USBStealer has several commands to delete files associated with the malware from the victim.[338]
VBShower has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%..\Local\Temporary Internet Files\Content.Word and %APPDATA%..\Local Settings\Temporary Internet Files\Content.Word\.[339]
VERMIN can delete files on the victim’s machine.[340]
VersaMem deleted files related to initial installation such as temporary files related to the PID of the main web process.[341]
Volgmer can delete files and itself after infection to avoid analysis.[342]
Volt Typhoon has run rd /S to delete their working directories and deleted systeminfo.dat from C:\Users\Public\Documentsfiles.[343][344]
WhisperGate can delete tools from a compromised host after execution.[345]
WINDSHIELD is capable of file deletion along with other file system interaction.[346]
WindTail has the ability to receive and execute a self-delete command.[347]
Wingbird deletes its payload along with the payload's parent process after it finishes copying files.[348]
Winnti for Windows can delete the DLLs for its various components from a compromised host.[349]
Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.[350]
Woody RAT has the ability to delete itself from disk by creating a suspended notepad process and writing shellcode to delete a file into the suspended process using NtWriteVirtualMemory.[351]
XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.[352]
XLoader can delete malicious executables from compromised machines.[353]
Zebrocy has a command to delete files and directories.[354][355][356]
ZeroCleare has the ability to uninstall the RawDisk driver and delete the rwdsk file on disk.[281][357]
Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track.[358]
zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.[359]