ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT038
  • Created: 01st June 2024
  • Updated: 14th June 2024
  • Platform: Windows
  • Contributor: The ITM Team

Windows Recycle Bin

On Windows 10, we can find the Recycle Bin directory for all users located at C:\$Recycle.Bin. Insider this location are sub-folders using user account SIDs for the naming convention. To get a list of user accounts on a system Windows Management Instrumentation Command (WMIC) can be used: wmic useraccount get name,SID.

Files that begin with $R followed by a random string contain the true file contents of the recycled file.

Files that begin with $I and end in the same string as the $R file counterpart contain the metadata for that specific file, such as the original filename, path, size, and timestamp of when the file was deleted.

If the user has emptied the Recycle Bin, we lose this artifact and cannot analyze it. Instead, we would need to carve these files from a disk image.

Sections

ID Name Description
AF015File Deletion

A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files.

AF004.001Clear Chrome Artifacts

A subject clears Google Chrome browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

AF004.003Clear Firefox Artifacts

A subject clears Mozzila Firefox browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

AF004.002Clear Edge Artifacts

A subject clears Microsoft Edge browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

IF013.001File or Data Deletion

A subject deletes organizational files or data (manually or through tooling) outside authorized workflows, resulting in the loss, concealment, or unavailability of operational assets. This infringement encompasses both targeted deletion (e.g. selected records, logs, or documents) and bulk removal (e.g. recursive deletion of directories or volumes).

 

Unlike Destructive Malware Deployment, which uses self-propagating or malicious code to irreversibly damage systems, this behavior reflects direct user-driven actions or scripts that remove or purge data without employing destructive payloads. Deletions may be conducted via built-in utilities, custom scripts, scheduled tasks, or misuse of administrative tools such as backup managers or version control systems.

 

This activity frequently occurs to:

 

  • Conceal evidence of other infringing actions (e.g. log deletion to frustrate investigation)
  • Sabotage availability of critical information (e.g. deleting shared drives or project directories)
  • Facilitate exfiltration or preparation (e.g. purging redundant files before copying sensitive data)

 

It may also involve secondary actions such as emptying recycle bins, purging shadow copies, disabling version histories, or wiping removable media to obscure the scope of deletion.

IF027.004Remote Access Tool (RAT) Deployment

The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.

 

RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode). 

 

Functionality typically includes:

 

  • Full GUI or shell access
  • File system interaction
  • Screenshot and webcam capture
  • Credential harvesting
  • Process and registry manipulation
  • Optional keylogging and persistence modules

 

Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins (mshta, rundll32). Persistence is typically achieved through scheduled tasks, registry run keys, or disguised service installations. In some cases, the RAT may be configured to activate only during specific windows or respond to remote beacons, reducing exposure to detection.