Home  >  APT29  >  Results  >  Elastic  >  File Deletion

Technique Results: File Deletion (T1107) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
4.B.2
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution. [1]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
4.B.3
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution. [1]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
4.B.4
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution. [1]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
9.C.1
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1107 File Deletion" was generated when sdelete64.exe made a NtSetInformationFile API call deleting rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
9.C.2
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. [1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
9.C.3
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1107 File Deletion" was generated when sdelete64.exe made a NtSetInformationFile API call deleting Roaming\working.zip. This event was correlated to a Technique detection for the creation of psexesvc.exe. Configuration changes were made to increase detection capability, specifically additional API monitoring. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip.This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
9.C.4
Technique (Correlated, Alert)
A Technique alert detection for "ATT&CK T1107 File Deletion" was generated when cmd.exe deleted sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe deleting sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Deleted Mimikatz (m.exe) on disk using SDelete
File delete event for C:\Windows\System32\m.exe
19.A.1
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
Deleted exfiltrated data on disk using SDelete
File delete event for C:\Windows\Temp\WindowsParentalControlMigration.tmp
19.B.1
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
Deleted staged data on disk using SDelete
File delete event for C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
19.C.1
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.