File Deletion

Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. You can read more about this attacker technique at https://attack.mitre.org/wiki/Technique/T1107.

The Veramine platform preserves server-side a single copy of every binary that was loaded by any process on any system where the Veramine sensor is installed. Each time the sensor reports an image load for a new hash, it also queries the server asking if the server would like the file uploaded. The server will request a file upload from the first sensor that encounters each new file.

Having a copy of the binary server-side allows us to process every binary with the Veramine Binary Analysis Pipeline (BAP) to discover characteristics about each binary and assess a suspicion score to it. However, we also preserve a copy of every file loaded to serve it up via the Veramine portal on demand as a download to any customer who has ever encountered the binary. Preserving binaries and making them easily available from the server (where attackers are unable to tamper) helps mitigate the file deletion risk.