Detect File Deletion in Elastic Security
Adversaries delete files created during their intrusion to remove forensic evidence of their presence. This includes malware droppers, staged tools, credential harvest output files, scan results, and exfiltrated data copies. Common methods include the del or erase commands on Windows, rm or unlink on Linux/macOS, PowerShell Remove-Item, and specialized secure-deletion tools like SDelete (Sysinternals) which overwrites file content before deletion to prevent recovery. Self-deleting malware (RansomHub, SamSam, ProLock, APT38's CLOSESHAVE utility, TeamTNT, Aquatic Panda) is extremely common — the malware executes then schedules its own deletion via cmd.exe /c del commands or moves itself to TEMP and deletes. Detection relies on correlating file creation events with rapid subsequent deletion, process lineage anomalies (svchost.exe or Office processes deleting files from TEMP), and behavioral baselining of which processes legitimately delete from which directories.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.004 File Deletion
- Canonical reference
- https://attack.mitre.org/techniques/T1070/004/
Elastic Detection Query
file where event.action == "deletion" and (
(
file.path : ("*\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*")
and file.name : ("*.exe", "*.dll", "*.bat", "*.ps1", "*.vbs", "*.js", "*.hta", "*.cmd")
)
or process.name : ("sdelete.exe", "sdelete64.exe")
or (
process.executable : file.path
)
)
and not process.name : ("msiexec.exe", "setup.exe", "uninstall.exe", "MpSigStub.exe", "TiWorker.exe", "TrustedInstaller.exe")Detects file deletion of executables and scripts from staging directories, SDelete secure deletion usage, and process self-deletion patterns indicative of malware cleanup (T1070.004). Covers common adversary techniques including RansomHub, APT38, and TeamTNT-style self-deleting malware.
Data Sources
Required Tables
False Positives & Tuning
- Software installers and update mechanisms (Windows Update, third-party installers) that clean up temporary files after installation
- Antivirus and EDR products quarantining or removing detected malware files from temp directories
- Developer toolchains (npm, pip, cargo) that create and delete temporary build artifacts in AppData or Temp directories
Other platforms for T1070.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Delete Staged Executable from TEMP Directory
Expected signal: Sysmon EventCode 11 (FileCreate) for argus_test_payload.exe in TEMP. Sysmon EventCode 23 (FileDelete) for the same file 2 seconds later. DeviceFileEvents in MDE: FileCreated then FileDeleted for the same path within seconds. Process creation for cmd.exe with del argument.
- Test 2Secure File Deletion with SDelete
Expected signal: Process creation for sdelete.exe with target file path argument. Multiple Sysmon EventCode 23 (FileDelete) or raw file write events as SDelete overwrites file content. Prefetch entry for SDELETE.EXE. MDE DeviceProcessEvents for sdelete.exe execution.
- Test 3PowerShell Self-Deletion Pattern
Expected signal: PowerShell process creation writing .ps1 script to TEMP. Child cmd.exe process launched with del command targeting the same .ps1 file path. Sysmon EventCode 11 (FileCreate) for the .ps1 then EventCode 23 (FileDelete) after the timeout. The parent-child chain PowerShell → cmd.exe /c del is a high-fidelity self-deletion indicator.
Unlock Pro Content
Get the full detection package for T1070.004 including response playbook, investigation guide, and atomic red team tests.