AN0411: Analytic 0411
Adversary spawns command-line tools (e.g., del, cipher /w, SDelete) or scripts to recursively delete or overwrite user/system files. This may be correlated with abnormal file IO activity, registry writes, or tampering in critical system directories.
Analyst context for executives and security teams
This analytic is about recognizing Windows activity consistent with destructive file deletion or overwriting, such as command-line tools or scripts recursively removing user or system files. For leaders, the value is resilience: if this behavior is missed, an incident can move quickly from compromise to business disruption, recovery workload, and evidence loss.
Executive priority
Prioritize this as a business-continuity and incident-response readiness question: can the organization quickly see and investigate suspicious recursive deletion or overwrite activity on Windows systems, especially when it involves critical directories or abnormal file I/O? The control decision is not just whether a tool is blocked, but whether SOC and IR teams have enough endpoint, process, file, and registry evidence to distinguish administrative maintenance from potentially destructive activity.
Technical view
Validate Windows detection coverage for command-line processes and scripts that delete or overwrite files at scale, including examples named in the ATT&CK description such as del, cipher /w, and SDelete. Because no official detection logic is supplied, teams should build or review analytics that correlate process execution with abnormal file I/O, registry writes, and tampering in critical system directories. Tuning should account for legitimate administrative cleanup, software deployment, disk wiping, and maintenance workflows.
Likely telemetry
- Windows process creation events with command-line arguments
- Script execution telemetry where available
- Endpoint file I/O or file deletion events, especially high-volume or recursive activity
- Registry write telemetry associated with the same host or process context
- Signals of modification or tampering in critical system directories
Detection direction
- Confirm command-line argument visibility for Windows process creation; process names alone are likely insufficient.
- Correlate suspicious deletion or overwrite tools/scripts with volume, recursion indicators, target paths, and unusual timing.
- Tune against known administrative cleanup, secure wipe, software deployment, and helpdesk activity to reduce false positives.
- Prioritize alerts involving user data locations, system directories, or activity paired with registry writes or directory tampering.
- Review whether endpoint logging retains enough detail during high-volume file operations, where telemetry loss can become a blind spot.
Mitigation priorities
- Establish and document approved administrative file deletion and secure wipe procedures so SOC teams can tune against known-good activity.
- Restrict use of destructive utilities and scripts to authorized administrators and managed change windows where feasible.
- Ensure endpoint logging and retention support investigation of process execution, file I/O, and registry activity on Windows systems.
- Protect critical system directories and important data locations with least privilege and change monitoring.
- Validate backup and recovery processes, since this behavior is directly relevant to destructive activity and operational recovery.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. It provides a concise behavioral description for Windows but no tactic, relationship context, or official detection logic. The strongest practical use is as a validation prompt for SOC and IR readiness around destructive file operations.
No relationships, tactics, aliases, or official detection logic were supplied. This take does not assert active exploitation, attribution, specific malware behavior, or existing detection coverage. Local baselines are required to separate legitimate administrative deletion from suspicious destructive behavior.
Analytic 0411
Adversary spawns command-line tools (e.g., del, cipher /w, SDelete) or scripts to recursively delete or overwrite user/system files. This may be correlated with abnormal file IO activity, registry writes, or tampering in critical system directories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 946ba600011f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0411Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.