Applied Cybernetics Group
T1070.004 — File Deletion
- Technique
T1070.004- Tactics
- Stealth
- MISP citations
- 0
- KEV CVEs mapped
- 5
- Community rules
- 15
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1070/004
MITRE description
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows, <code>rm</code> or <code>unlink</code> on Linux and macOS, and `rm` on ESXi.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- ADS Zone.Identifier Deleted (threat-hunting)
- Use Of Remove-Item to Delete File - ScriptBlock (threat-hunting)
- File Deletion (core)
- Cisco File Deletion (core)
- Backup Catalog Deleted (core)
- Potential Secure Deletion with SDelete (core)
- Prefetch File Deleted (core)
- TeamViewer Log File Deleted (core)
- File Deleted Via Sysinternals SDelete (core)
- ADS Zone.Identifier Deleted By Uncommon Application (core)
- File Deletion Via Del (core)
- Greedy File Deletion Using Del (core)
- Potentially Suspicious Ping/Copy Command Combination (core)
- Suspicious Ping/Del Command Combination (core)
- Directory Removal Via Rmdir (core)