Detections

Windows Event Log ID 4660 “An object was deleted” is generated when an object was deleted, such as a file system, kernel, or registry object. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL). This event doesn’t contain the name of the deleted object, so investigators must also utilize Event ID 4663.

Windows Event Log ID 4663 “An attempt was made to access an object” can be used in combination with Event ID 4660 to track object deletion. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL).

This may represent an anti-forensics technique if there is no reasonable explanation for why the objected was deleted from the system.

Sections

ID	Name	Description
AF002	Log Deletion	The subject deliberately deletes logs to eliminate records of their activity and hinder subsequent investigation. This may include host-based logs (e.g., Windows Event Logs, Linux audit logs), application logs (e.g., authentication or access records), or network-level logs (e.g., firewall or proxy logs). Deletion may be selective by targeting specific time ranges, event types, or identifiers, or more broad by wiping entire log files or directories to prevent attribution or timeline reconstruction.
AF002.001	Clear Windows Event Logs	A subject clears Windows Event logs to conceal evidence of their activities. Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events. The logs are stored in `C:/WINDOWS/system32/config`. Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges.
IF027.002	Ransomware Deployment	The subject deploys ransomware within the organization’s environment, resulting in the encryption, locking, or destructive alteration of organizational data, systems, or backups. Ransomware used by insiders may be obtained from public repositories, affiliate programs (e.g. RaaS platforms), or compiled independently using commodity builder kits. Unlike external actors who rely on phishing or remote exploitation, insiders often bypass perimeter controls by detonating ransomware from within trusted systems using local access. Ransomware payloads are typically compiled as executables, occasionally obfuscated using packers or crypters to evade detection. Execution may be initiated via command-line, scheduled task, script wrapper, or automated loader. Encryption routines often target common file extensions recursively across accessible volumes, mapped drives, and cloud sync folders. In advanced deployments, the subject may disable volume shadow copies (vssadmin delete shadows) or stop backup agents (net stop) prior to detonation to increase impact. In some insider scenarios, ransomware is executed selectively: targeting specific departments, shares, or systems, rather than broad detonation. This behavior may indicate intent to send a message, sabotage selectively, or avoid attribution. Payment demands may be issued internally, externally, or omitted entirely if disruption is the primary motive.
IF027.004	Remote Access Tool (RAT) Deployment	The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity. RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode). Functionality typically includes: Full GUI or shell access File system interaction Screenshot and webcam capture Credential harvesting Process and registry manipulation Optional keylogging and persistence modules Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins (`mshta`, `rundll32`). Persistence is typically achieved through scheduled tasks, registry run keys, or disguised service installations. In some cases, the RAT may be configured to activate only during specific windows or respond to remote beacons, reducing exposure to detection.
IF027.005	Destructive Malware Deployment	The subject deploys destructive malware; software designed to irreversibly damage systems, erase data, or disrupt operational availability. Unlike ransomware, which encrypts files to extort payment, destructive malware is deployed with the explicit intent to delete, corrupt, or disable systems and assets without recovery. Its objective is disruption or sabotage, not necessarily for direct financial gain. This behavior may include: Wiper malware (e.g. `HermeticWiper`, `WhisperGate`, `ZeroCleare`) Logic bombs or time-triggered deletion scripts Bootloader overwrite tools or UEFI tampering utilities Mass delete or format scripts (`format`, `cipher /w`, `del /s /q`, `rm -rf`) Data corruption utilities (e.g. file rewriters, header corruptors) Credential/system-wide lockout scripts (e.g. disabling accounts, resetting passwords en masse) Insiders may deploy destructive malware as an act of retaliation (e.g. prior to departure), sabotage (e.g. to disrupt an investigation or competitor), or under coercion. Detonation may be manual or scheduled, and in some cases the malware is disguised as routine tooling to delay detection. Destructive deployment is high-severity and often coincides with forensic tampering or precursor access based infringements (e.g. file enumeration or backup deletion).