Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT003
  • Created: 25th May 2024
  • Updated: 25th May 2024
  • Platform: Windows
  • Contributor: The ITM Team

Windows File Deleted, Event Logs

Windows Event Log ID 4660 “An object was deleted” is generated when an object was deleted, such as a file system, kernel, or registry object. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL). This event doesn’t contain the name of the deleted object, so investigators must also utilize Event ID 4663.

Windows Event Log ID 4663 “An attempt was made to access an object” can be used in combination with Event ID 4660 to track object deletion. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL).

This may represent an anti-forensics technique if there is no reasonable explanation for why the objected was deleted from the system.

Sections

ID Name Description
AF002Log Deletion

The subject deliberately deletes logs to eliminate records of their activity and hinder subsequent investigation. This may include host-based logs (e.g., Windows Event Logs, Linux audit logs), application logs (e.g., authentication or access records), or network-level logs (e.g., firewall or proxy logs).

 

Deletion may be selective by targeting specific time ranges, event types, or identifiers, or more broad by wiping entire log files or directories to prevent attribution or timeline reconstruction.

AF035Native Application Misuse

Native application misuse occurs when a subject uses applications, services, binaries, scripts, or administrative utilities already present on a corporate endpoint or server to support, conceal, or facilitate an infringement without introducing new software. This may include exploring built-in operating system/command line tools, approved productivity applications, scripting environments, messaging clients, compression utilities, remote access components, cloud storage integrations, or endpoint management features to identify capabilities that can be repurposed for unauthorized outcomes.

 

The anti-forensics significance of this behavior is that the subject’s activity may appear consistent with legitimate operational use. Unlike the installation of unauthorized tools or overt malware, native application misuse relies on capabilities that are already trusted, allowed, or commonly present in the environment. This can make it difficult for investigators to distinguish legitimate activity from illegitimate activity without strong context, baseline comparison, command-line visibility, file access history, and correlation with the subject’s role, timing, intent, and surrounding investigative indicators.

 

A subject may deliberately elect to use a more complicated or convoluted method to achieve an illegitimate outcome when that method relies on native applications or approved services. In these cases, the subject may avoid introducing external software even where doing so would make the task faster, simpler, or more technically effective. The investigative significance is that the inefficient method may itself be purposeful: by operating through trusted tools already present on the endpoint, the subject reduces the number of distinct control violations, avoids software-installation indicators, and makes the activity harder to separate from legitimate business use.

 

This behavior may contribute to or facilitate an infringement by allowing a subject to stage, compress, transfer, hide, rename, encode, delete, alter, or access data using tools that do not independently appear suspicious. It may also support behavioral drift where repeated minor misuse of approved tools becomes normalized within a team or population, reducing the organization’s ability to identify meaningful deviations from acceptable use.

 

Investigative Relevance

Native application misuse should be assessed in relation to the subject’s role, normal working patterns, endpoint baseline, approved business processes, and the sensitivity of the data involved. Investigators should avoid treating native tool execution as inherently suspicious. The investigative concern arises when the subject uses ordinary capabilities in unusual combinations, at unusual times, against unusual data, or in ways that produce outcomes inconsistent with their duties.

 

Investigators should consider whether the subject’s chosen method appears unnecessarily complex when compared with easier external tooling options. Where a subject uses native applications in a slower, more manual, or more indirect manner, that choice may indicate an intent to preserve plausible legitimacy, avoid detection associated with unauthorized software, or obscure the behavioral sequence required to prove intent.

 

Relevant case logic may include:

  • A subject using built-in archive, scripting, browser, synchronization, or file management capabilities shortly before data loss, unauthorized access, or sabotage.
  • A subject performing repeated exploratory activity against native utilities, administrative consoles, local services, or corporate applications that are not required for their role.
  • A subject using approved tools to perform actions more commonly associated with staging, concealment, bulk collection, transfer, or destruction.
  • A subject’s activity remaining below traditional software-control thresholds because no new executable, installer, or external application was introduced.
  • A pattern of activity that appears individually explainable but collectively supports preparation, infringement, or anti-forensic concealment.

Example Behaviors

  • Using built-in compression or archive utilities to stage sensitive files before transfer.
  • Using PowerShell, shell scripts, command prompt, Terminal, or Windows Subsystem for Linux to enumerate, copy, encode, delete, or modify files.
  • Using corporate browsers, browser profiles, or approved extensions to access unsanctioned services without installing additional tools.
  • Using approved cloud synchronization clients to move files into locations that are less visible to standard file-share auditing.
  • Using native search, indexing, preview, or document history features to locate sensitive material outside normal workflow.
  • Using operating system rename, timestamp, metadata, recycle bin, clipboard, print-to-PDF, screenshot, or export functions to alter the appearance, location, or traceability of data.
  • Using existing remote access, collaboration, or screen-sharing services to view, transfer, or disclose information under the appearance of legitimate work activity.
  • Using scheduled tasks, launch agents, login items, shortcuts, or automation features already present on the endpoint to repeat activity without installing new software.
AF002.001Clear Windows Event Logs

A subject clears Windows Event logs to conceal evidence of their activities.

Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events.

The logs are stored in C:/WINDOWS/system32/config.

Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges.

IF027.002Ransomware Deployment

The subject deploys ransomware within the organization’s environment, resulting in the encryption, locking, or destructive alteration of organizational data, systems, or backups. Ransomware used by insiders may be obtained from public repositories, affiliate programs (e.g. RaaS platforms), or compiled independently using commodity builder kits. Unlike external actors who rely on phishing or remote exploitation, insiders often bypass perimeter controls by detonating ransomware from within trusted systems using local access.

 

Ransomware payloads are typically compiled as executables, occasionally obfuscated using packers or crypters to evade detection. Execution may be initiated via command-line, scheduled task, script wrapper, or automated loader. Encryption routines often target common file extensions recursively across accessible volumes, mapped drives, and cloud sync folders. In advanced deployments, the subject may disable volume shadow copies (vssadmin delete shadows) or stop backup agents (net stop) prior to detonation to increase impact.

 

In some insider scenarios, ransomware is executed selectively: targeting specific departments, shares, or systems, rather than broad detonation. This behavior may indicate intent to send a message, sabotage selectively, or avoid attribution. Payment demands may be issued internally, externally, or omitted entirely if disruption is the primary motive.

IF027.004Remote Access Tool (RAT) Deployment

The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.

 

RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode). 

 

Functionality typically includes:

 

  • Full GUI or shell access
  • File system interaction
  • Screenshot and webcam capture
  • Credential harvesting
  • Process and registry manipulation
  • Optional keylogging and persistence modules

 

Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins (mshta, rundll32). Persistence is typically achieved through scheduled tasks, registry run keys, or disguised service installations. In some cases, the RAT may be configured to activate only during specific windows or respond to remote beacons, reducing exposure to detection.

IF027.005Destructive Malware Deployment

The subject deploys destructive malware; software designed to irreversibly damage systems, erase data, or disrupt operational availability. Unlike ransomware, which encrypts files to extort payment, destructive malware is deployed with the explicit intent to delete, corrupt, or disable systems and assets without recovery. Its objective is disruption or sabotage, not necessarily for direct financial gain.

 

This behavior may include:

 

  • Wiper malware (e.g. HermeticWiper, WhisperGate, ZeroCleare)
  • Logic bombs or time-triggered deletion scripts
  • Bootloader overwrite tools or UEFI tampering utilities
  • Mass delete or format scripts (format, cipher /w, del /s /q, rm -rf)
  • Data corruption utilities (e.g. file rewriters, header corruptors)
  • Credential/system-wide lockout scripts (e.g. disabling accounts, resetting passwords en masse)

 

Insiders may deploy destructive malware as an act of retaliation (e.g. prior to departure), sabotage (e.g. to disrupt an investigation or competitor), or under coercion. Detonation may be manual or scheduled, and in some cases the malware is disguised as routine tooling to delay detection.

 

Destructive deployment is high-severity and often coincides with forensic tampering or precursor access based infringements (e.g. file enumeration or backup deletion).

PR020.004Masquerading Sensitive Data as Personal Files

A subject intentionally alters the filename, file extension, metadata tags, document properties, or visible descriptive attributes of sensitive organizational data to make it appear to be benign personal information. This may include disguising proprietary, regulated, technical, financial, customer, or strategic material as photographs, household records, recipes, receipts, travel documents, music files, temporary files, or other low-risk personal content.

 

This technique is typically performed before data staging, transfer, or exfiltration. It may reduce scrutiny during manual review, mislead investigators during triage, or weaken controls that rely on filename, extension, path, metadata, or user-applied classification fields. Investigators should assess this behavior in proximity to file access, bulk download, archive creation, removable media use, cloud upload, email transmission, or other indicators of planned data loss.

 

A common scenario occurs during offboarding, where a subject is permitted to remove or transfer legitimate personal files from a corporate device before returning the asset. The subject may exploit this authorized window by disguising sensitive organizational data as personal material, relying on the expectation that files labeled as photographs, tax records, household documents, or other personal content will receive less scrutiny. This behavior can create ambiguity for investigators because the initial transfer context may appear procedurally authorized, while the concealed content indicates preparation for later exfiltration or unauthorized retention.

 

Examples of Use

  • A subject renames 2026_Product_Roadmap.xlsx to holiday_budget.xlsx before copying it to removable media.
  • A subject changes customer_export.csv to family_photos.tmp and stores it in a personal folder prior to upload.
  • A subject modifies document properties, author fields, tags, or comments to remove project, client, or classification references.
  • A subject applies misleading metadata such as “personal,” “recipe,” “tax,” “school,” or “photos” to files containing proprietary information.
  • A subject changes an engineering design file extension to appear as a media, text, or backup file before moving it into a staged directory.