T1070.004 File Deletion Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileDeleted"
| where (
    // Executables/scripts deleted from staging directories
    (FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\ProgramData\\", "\\Users\\Public\\", "\\Windows\\Temp\\")
     and (FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".bat"
          or FileName endswith ".ps1" or FileName endswith ".vbs" or FileName endswith ".js"
          or FileName endswith ".hta" or FileName endswith ".cmd"))
    or
    // SDelete usage (overwrites then deletes — generates high-volume file events)
    (InitiatingProcessFileName =~ "sdelete.exe" or InitiatingProcessFileName =~ "sdelete64.exe")
    or
    // Process deleting its own executable (self-deletion pattern)
    (InitiatingProcessFolderPath =~ FolderPath and InitiatingProcessFileName =~ FileName)
)
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "uninstall.exe", "MpSigStub.exe",
                                         "TiWorker.exe", "TrustedInstaller.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by Timestamp desc

medium severity medium confidence

Data Sources

File: File Deletion Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate software installers and updaters that clean up temporary files after installation completes
Antivirus quarantine and remediation tools deleting malware samples they have identified and contained
Build systems and CI/CD pipelines that compile code and clean up intermediate artifacts in TEMP directories
IT management tools like SCCM or PDQ that deploy and remove packages, leaving temporary files that are then cleaned up

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=23
| where (match(TargetFilename, "(?i)(\\\\Temp\\\\|\\\\AppData\\\\Local\\\\Temp\\\\|\\\\ProgramData\\\\|\\\\Users\\\\Public\\\\|\\\\Windows\\\\Temp\\\\)")
         AND match(TargetFilename, "(?i)\\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$"))
   OR (Image like "%sdelete.exe" OR Image like "%sdelete64.exe")
| where NOT (Image like "%msiexec.exe" OR Image like "%TrustedInstaller.exe" OR Image like "%TiWorker.exe")
| eval DeletionType=case(
    Image like "%sdelete%", "SDelete Secure Deletion",
    match(TargetFilename, "(?i)\\.(exe|dll)$"), "Binary Deletion from Staging Dir",
    match(TargetFilename, "(?i)\\.(ps1|bat|cmd|vbs|js|hta)$"), "Script Deletion from Staging Dir",
    true(), "Other File Deletion"
  )
| table _time, host, User, Image, CommandLine, TargetFilename, DeletionType
| sort - _time

medium severity medium confidence

Data Sources

File: File Deletion Sysmon Event ID 23

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software deployment tools cleaning up temporary installation files after successful package installation
Security tools that delete quarantined malware samples from staging directories
Developer workstations running build scripts that compile then delete intermediate binary artifacts
Patch management solutions extracting and deleting temporary patch files from Windows\Temp

Elastic Security (EQL)

eql

file where event.action == "deletion" and (
  (
    file.path : ("*\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*")
    and file.name : ("*.exe", "*.dll", "*.bat", "*.ps1", "*.vbs", "*.js", "*.hta", "*.cmd")
  )
  or process.name : ("sdelete.exe", "sdelete64.exe")
  or (
    process.executable : file.path
  )
)
and not process.name : ("msiexec.exe", "setup.exe", "uninstall.exe", "MpSigStub.exe", "TiWorker.exe", "TrustedInstaller.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent file monitoring Sysmon via Filebeat (event.code:23)

Required Tables

logs-endpoint.events.file-* winlogbeat-*

False Positives

Software installers and update mechanisms (Windows Update, third-party installers) that clean up temporary files after installation
Antivirus and EDR products quarantining or removing detected malware files from temp directories
Developer toolchains (npm, pip, cargo) that create and delete temporary build artifacts in AppData or Temp directories

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username,
  sourceip,
  "filename",
  "filepath",
  "processname",
  "commandline",
  CATEGORYNAME(category) AS Category,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 352)
  AND (
    (
      LOWER("filepath") MATCHES '.*\\\\(temp|appdata\\local\\temp|programdata|users\\\\public|windows\\\\temp)\\\\.*'
      AND LOWER("filename") MATCHES '.*\\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$'
    )
    OR LOWER("processname") MATCHES '.*(sdelete|sdelete64)\.exe$'
    OR ("processname" IS NOT NULL AND "processname" = "filename")
  )
  AND LOWER("processname") NOT MATCHES '.*(msiexec|setup|uninstall|mpsigstub|tiworker|trustedinstaller)\.exe$'
  AND LOGSOURCETYPEID(logsourceid) NOT IN (105, 199)
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon (Event ID 23) Windows Security Event Log Microsoft Windows DSM

Required Tables

events

False Positives

Windows Installer (msiexec.exe) removing temporary installation packages from ProgramData or Temp during software deployment
Microsoft Defender (MsMpEng.exe) or third-party AV products removing quarantined malicious files detected in staging directories
Configuration management tools (SCCM, Ansible, Chef) that deploy scripts to temp directories and clean them up after execution

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*sysmon*
| where EventID = "23"
| parse field=Message "TargetFilename: *\n" as TargetFilename nodrop
| parse field=Message "Image: *\n" as Image nodrop
| parse field=Message "CommandLine: *\n" as CommandLine nodrop
| parse field=Message "User: *\n" as User nodrop
| where (
    (
      matches(TargetFilename, "(?i).*(\\\\Temp\\\\|\\\\AppData\\\\Local\\\\Temp\\\\|\\\\ProgramData\\\\|\\\\Users\\\\Public\\\\|\\\\Windows\\\\Temp\\\\).*")
      AND matches(TargetFilename, "(?i).*\\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$")
    )
    OR matches(Image, "(?i).*(sdelete|sdelete64)\.exe$")
    OR (
      substring(Image, lastIndexOf(Image, "\\") + 1) = substring(TargetFilename, lastIndexOf(TargetFilename, "\\") + 1)
    )
  )
| where !(matches(Image, "(?i).*(msiexec|setup|uninstall|MpSigStub|TiWorker|TrustedInstaller)\.exe$"))
| eval DeletionType = if(matches(Image, "(?i).*sdelete.*"), "SDelete Secure Deletion",
    if(matches(TargetFilename, "(?i).*\\.(exe|dll)$"), "Binary Deletion from Staging Dir",
    if(matches(TargetFilename, "(?i).*\\.(ps1|bat|cmd|vbs|js|hta)$"), "Script Deletion from Staging Dir",
    "Self-Deletion Pattern")))
| table _messageTime, _sourceHost, User, Image, CommandLine, TargetFilename, DeletionType
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon operational logs via Sumo Logic Installed Collector Windows Event Log source

Required Tables

Sysmon Event ID 23 logs

False Positives

Software packaging and deployment solutions removing bundled scripts after silent installations complete in corporate environments
Endpoint protection platforms (CrowdStrike Falcon, Carbon Black) performing remediation by deleting identified malware from temp directories
Developer IDEs and build systems (Visual Studio, JetBrains) that compile binaries to temp locations and delete intermediate artifacts after successful builds

Google Chronicle / SecOps

yaral

rule t1070_004_file_deletion_staging_dir {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects deletion of executables and scripts from staging directories, SDelete secure deletion usage, and process self-deletion patterns (T1070.004 - File Deletion)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.004"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "FILE_DELETION"
    $e.principal.hostname != ""

    (
      (
        re.regex($e.target.file.full_path, `(?i)(\\Temp\\|\\AppData\\Local\\Temp\\|\\ProgramData\\|\\Users\\Public\\|\\Windows\\Temp\\)`)
        and re.regex($e.target.file.full_path, `(?i)\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$`)
      )
      or re.regex($e.principal.process.file.full_path, `(?i)(sdelete|sdelete64)\.exe$`)
      or (
        $e.principal.process.file.full_path = $e.target.file.full_path
      )
    )

    not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|setup|uninstall|MpSigStub|TiWorker|TrustedInstaller)\.exe$`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows endpoint telemetry via Chronicle forwarder Sysmon Event ID 23 ingested into Chronicle UDM

Required Tables

UDM events with event_type FILE_DELETION

False Positives

Windows Update (TiWorker.exe, TrustedInstaller.exe) and Windows Installer (msiexec.exe) removing staging files during patching cycles — already excluded in rule logic
Security operations teams running SDelete intentionally for data sanitization or secure workstation decommissioning workflows
Application virtualization platforms (VMware App Volumes, Microsoft App-V) that decompress app packages to temp directories and clean up after session launch

CrowdStrike LogScale (CQL)

cql

#event_simpleName=FileDeleteInfo
| where TargetFileName matches regex(?i) @"(\\Temp\\|\\AppData\\Local\\Temp\\|\\ProgramData\\|\\Users\\Public\\|\\Windows\\Temp\\)"
    AND TargetFileName matches regex(?i) @"\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$"
| or #event_simpleName=FileDeleteInfo
| where ImageFileName matches regex(?i) @"(sdelete|sdelete64)\.exe$"
| or #event_simpleName=FileDeleteInfo
| where ImageFileName = TargetFileName
| eval DeletionType = case(
    ImageFileName matches regex(?i) @"sdelete",
        "SDelete Secure Deletion",
    TargetFileName matches regex(?i) @"\.(exe|dll)$",
        "Binary Deletion from Staging Dir",
    TargetFileName matches regex(?i) @"\.(ps1|bat|cmd|vbs|js|hta)$",
        "Script Deletion from Staging Dir",
    ImageFileName = TargetFileName,
        "Process Self-Deletion",
    true(),
        "Other"
  )
| where NOT (ImageFileName matches regex(?i) @"(msiexec|MpSigStub|TiWorker|TrustedInstaller)\.exe$")
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, DeletionType], function=count(as=DeleteCount))
| sort DeleteCount desc

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon LogScale (Humio) CrowdStrike FileDeleteInfo telemetry

Required Tables

#event_simpleName=FileDeleteInfo

False Positives

Software deployment and patching automation (SCCM, Intune, PDQ Deploy) that stage executable packages in ProgramData or Temp and remove them after silent installation
CrowdStrike Falcon sensor itself or other EDR agents removing quarantined threat artifacts from staging directories as part of automated remediation workflows
Scripted application packaging pipelines (Chocolatey, Scoop, winget) that download installers to Temp directories and delete them after successful software installation

File Deletion

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections