T1070.004 Google Chronicle · YARA-L

Detect File Deletion in Google Chronicle

Adversaries delete files created during their intrusion to remove forensic evidence of their presence. This includes malware droppers, staged tools, credential harvest output files, scan results, and exfiltrated data copies. Common methods include the del or erase commands on Windows, rm or unlink on Linux/macOS, PowerShell Remove-Item, and specialized secure-deletion tools like SDelete (Sysinternals) which overwrites file content before deletion to prevent recovery. Self-deleting malware (RansomHub, SamSam, ProLock, APT38's CLOSESHAVE utility, TeamTNT, Aquatic Panda) is extremely common — the malware executes then schedules its own deletion via cmd.exe /c del commands or moves itself to TEMP and deletes. Detection relies on correlating file creation events with rapid subsequent deletion, process lineage anomalies (svchost.exe or Office processes deleting files from TEMP), and behavioral baselining of which processes legitimately delete from which directories.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.004 File Deletion
Canonical reference
https://attack.mitre.org/techniques/T1070/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1070_004_file_deletion_staging_dir {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects deletion of executables and scripts from staging directories, SDelete secure deletion usage, and process self-deletion patterns (T1070.004 - File Deletion)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.004"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "FILE_DELETION"
    $e.principal.hostname != ""

    (
      (
        re.regex($e.target.file.full_path, `(?i)(\\Temp\\|\\AppData\\Local\\Temp\\|\\ProgramData\\|\\Users\\Public\\|\\Windows\\Temp\\)`)
        and re.regex($e.target.file.full_path, `(?i)\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$`)
      )
      or re.regex($e.principal.process.file.full_path, `(?i)(sdelete|sdelete64)\.exe$`)
      or (
        $e.principal.process.file.full_path = $e.target.file.full_path
      )
    )

    not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|setup|uninstall|MpSigStub|TiWorker|TrustedInstaller)\.exe$`)

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1070.004 file deletion via FILE_DELETION UDM events. Identifies deletion of executable and script files from common staging directories (Temp, ProgramData, Users\Public), use of the SDelete secure deletion utility, and self-deleting process patterns. Excludes known-good Windows Installer and update processes.

Data Sources

Google Chronicle SIEMWindows endpoint telemetry via Chronicle forwarderSysmon Event ID 23 ingested into Chronicle UDM

Required Tables

UDM events with event_type FILE_DELETION

False Positives & Tuning

  • Windows Update (TiWorker.exe, TrustedInstaller.exe) and Windows Installer (msiexec.exe) removing staging files during patching cycles — already excluded in rule logic
  • Security operations teams running SDelete intentionally for data sanitization or secure workstation decommissioning workflows
  • Application virtualization platforms (VMware App Volumes, Microsoft App-V) that decompress app packages to temp directories and clean up after session launch
Download portable Sigma rule (.yml)

Other platforms for T1070.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Delete Staged Executable from TEMP Directory

    Expected signal: Sysmon EventCode 11 (FileCreate) for argus_test_payload.exe in TEMP. Sysmon EventCode 23 (FileDelete) for the same file 2 seconds later. DeviceFileEvents in MDE: FileCreated then FileDeleted for the same path within seconds. Process creation for cmd.exe with del argument.

  2. Test 2Secure File Deletion with SDelete

    Expected signal: Process creation for sdelete.exe with target file path argument. Multiple Sysmon EventCode 23 (FileDelete) or raw file write events as SDelete overwrites file content. Prefetch entry for SDELETE.EXE. MDE DeviceProcessEvents for sdelete.exe execution.

  3. Test 3PowerShell Self-Deletion Pattern

    Expected signal: PowerShell process creation writing .ps1 script to TEMP. Child cmd.exe process launched with del command targeting the same .ps1 file path. Sysmon EventCode 11 (FileCreate) for the .ps1 then EventCode 23 (FileDelete) after the timeout. The parent-child chain PowerShell → cmd.exe /c del is a high-fidelity self-deletion indicator.

Last updated: 2026-04-13 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1070.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1070.003Clear Command HistoryT1070.001Clear Windows Event LogsT1105Ingress Tool TransferT1036.005Match Legitimate Resource Name or LocationT1070.010Relocate MalwareT1485Data Destruction

Same Tactic: Defense Evasion

Popular Detections