cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json

{
    "type": "bundle",
    "id": "bundle--bd332482-b2a5-4c17-82d9-f624d1805650",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2022-09-19T14:12:22.878Z",
            "name": "Data Destruction",
            "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-ics-attack",
                    "phase_name": "inhibit-response-function"
                }
            ],
            "x_mitre_detection": "",
            "x_mitre_platforms": [
                "Control Server",
                "Human-Machine Interface",
                "Field Controller/RTU/PLC/IED"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_version": "1.0",
            "x_mitre_contributors": [
                "Matan Dobrushin - Otorio"
            ],
            "x_mitre_data_sources": [
                "File: File Deletion",
                "File: File Modification",
                "Command: Command Execution",
                "Process: Process Creation"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
            "created": "2020-05-21T17:43:26.506Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T0809",
                    "external_id": "T0809"
                },
                {
                    "source_name": "Enterprise ATT&CK January 2018",
                    "description": "Enterprise ATT&CK 2018, January 11 File Deletion Retrieved. 2018/05/17 ",
                    "url": "https://attack.mitre.org/wiki/Technique/T1107"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}