Home  >  APT29  >  Results  >  F-Secure  >  File Deletion

Technique Results: File Deletion (T1107) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
4.B.2
Technique (Alert, Correlated)
A Technique alert detection for file deletion (medium severity) was generated due to sdelete64.exe deleting rcs.3aka3.doc. The detection was correlated to a parent alert for PowerShell. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting rcs.3aka3.doc. [1]
Telemetry
Telemetry showed sdelete64.exe deleting rcs.3aka3.doc. [1]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
4.B.3
Technique (Alert, Correlated)
A Technique alert detection for file deletion (medium severity) was generated due to sdelete64.exe deleting Draft.Zip. The detection was correlated to a parent alert for PowerShell. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting Draft.zip [1]
Telemetry
Telemetry showed sdelete64.exe deleting Draft.zip. [1]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
4.B.4
Technique (Alert, Correlated)
A Technique alert detection (medium severity) for file deletion was generated due to sdelete64.exe deleting SysinternalsSuite.zip. This was correlated to a previous detection for PowerShell. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting SysinternalsSuite.zip [1]
Telemetry
Telemetry showed sdelete64.exe deleting SysinternalsSuite.zip. [1]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
9.C.1
Technique (Alert)
A Technique alert detection (medium severity) for "Sdelete file removal" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. The event was correlated to a Technique detection on python.exe. [1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
9.C.2
Technique (Alert)
A Technique alert detection (medium severity) for "Sdelete file removal" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete deleting Desktop\working.zip. [1] [2]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. The event was correlated to a Technique detection on python.exe. [1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
9.C.3
Technique (Alert)
A Technique alert detection (medium severity) for "Sdelete file removal" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete deleting Roaming\working.zip. [1] [2]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The event was correlated to a Technique detection on python.exe. [1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
9.C.4
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the deletion of sdelete.exe. [1] [2]
Telemetry
Telemetry showed the file deletion of sdelete64.exe. [1]
Deleted Mimikatz (m.exe) on disk using SDelete
File delete event for C:\Windows\System32\m.exe
19.A.1
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
Deleted exfiltrated data on disk using SDelete
File delete event for C:\Windows\Temp\WindowsParentalControlMigration.tmp
19.B.1
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
Deleted staged data on disk using SDelete
File delete event for C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
19.C.1
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.