File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary it may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternal Sdelete, or other third-party file deletion tools.


Sometimes adversaries need to delete their traces, and to remove their tracks, also their payloads so they don't get caught and have Security Engineers grab the payload and Reverse Engineer it, they want to avoid this so they don't create a signature and understand how the payload works.

Sometimes a simple del command you can use to remove the file completely and not have it stay in the Recycle Bin.

We see here that if we delete a file regularly as a normal User with it will move to the Recycle Bin


And using cmd it will not move to Recycle Bin

Of course this is just a very simple example we can use 3rd party tools to completely remove traces about our payload and can be harder to recover with the use of Forensic tools.

Last updated