T1070.004 CrowdStrike LogScale · LogScale

Detect File Deletion in CrowdStrike LogScale

Adversaries delete files created during their intrusion to remove forensic evidence of their presence. This includes malware droppers, staged tools, credential harvest output files, scan results, and exfiltrated data copies. Common methods include the del or erase commands on Windows, rm or unlink on Linux/macOS, PowerShell Remove-Item, and specialized secure-deletion tools like SDelete (Sysinternals) which overwrites file content before deletion to prevent recovery. Self-deleting malware (RansomHub, SamSam, ProLock, APT38's CLOSESHAVE utility, TeamTNT, Aquatic Panda) is extremely common — the malware executes then schedules its own deletion via cmd.exe /c del commands or moves itself to TEMP and deletes. Detection relies on correlating file creation events with rapid subsequent deletion, process lineage anomalies (svchost.exe or Office processes deleting files from TEMP), and behavioral baselining of which processes legitimately delete from which directories.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.004 File Deletion
Canonical reference
https://attack.mitre.org/techniques/T1070/004/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=FileDeleteInfo
| where TargetFileName matches regex(?i) @"(\\Temp\\|\\AppData\\Local\\Temp\\|\\ProgramData\\|\\Users\\Public\\|\\Windows\\Temp\\)"
    AND TargetFileName matches regex(?i) @"\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$"
| or #event_simpleName=FileDeleteInfo
| where ImageFileName matches regex(?i) @"(sdelete|sdelete64)\.exe$"
| or #event_simpleName=FileDeleteInfo
| where ImageFileName = TargetFileName
| eval DeletionType = case(
    ImageFileName matches regex(?i) @"sdelete",
        "SDelete Secure Deletion",
    TargetFileName matches regex(?i) @"\.(exe|dll)$",
        "Binary Deletion from Staging Dir",
    TargetFileName matches regex(?i) @"\.(ps1|bat|cmd|vbs|js|hta)$",
        "Script Deletion from Staging Dir",
    ImageFileName = TargetFileName,
        "Process Self-Deletion",
    true(),
        "Other"
  )
| where NOT (ImageFileName matches regex(?i) @"(msiexec|MpSigStub|TiWorker|TrustedInstaller)\.exe$")
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, DeletionType], function=count(as=DeleteCount))
| sort DeleteCount desc
high severity high confidence

Detects T1070.004 file deletion using CrowdStrike Falcon's FileDeleteInfo telemetry event. Identifies deletion of executables and scripts from Windows staging directories (Temp, AppData, ProgramData, Users\Public), SDelete secure deletion tool invocation, and process self-deletion patterns used by self-deleting malware families like RansomHub and APT38. Groups results by host and process for rapid analyst triage.

Data Sources

CrowdStrike Falcon EDRFalcon LogScale (Humio)CrowdStrike FileDeleteInfo telemetry

Required Tables

#event_simpleName=FileDeleteInfo

False Positives & Tuning

  • Software deployment and patching automation (SCCM, Intune, PDQ Deploy) that stage executable packages in ProgramData or Temp and remove them after silent installation
  • CrowdStrike Falcon sensor itself or other EDR agents removing quarantined threat artifacts from staging directories as part of automated remediation workflows
  • Scripted application packaging pipelines (Chocolatey, Scoop, winget) that download installers to Temp directories and delete them after successful software installation
Download portable Sigma rule (.yml)

Other platforms for T1070.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Delete Staged Executable from TEMP Directory

    Expected signal: Sysmon EventCode 11 (FileCreate) for argus_test_payload.exe in TEMP. Sysmon EventCode 23 (FileDelete) for the same file 2 seconds later. DeviceFileEvents in MDE: FileCreated then FileDeleted for the same path within seconds. Process creation for cmd.exe with del argument.

  2. Test 2Secure File Deletion with SDelete

    Expected signal: Process creation for sdelete.exe with target file path argument. Multiple Sysmon EventCode 23 (FileDelete) or raw file write events as SDelete overwrites file content. Prefetch entry for SDELETE.EXE. MDE DeviceProcessEvents for sdelete.exe execution.

  3. Test 3PowerShell Self-Deletion Pattern

    Expected signal: PowerShell process creation writing .ps1 script to TEMP. Child cmd.exe process launched with del command targeting the same .ps1 file path. Sysmon EventCode 11 (FileCreate) for the .ps1 then EventCode 23 (FileDelete) after the timeout. The parent-child chain PowerShell → cmd.exe /c del is a high-fidelity self-deletion indicator.

Last updated: 2026-04-13 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1070.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1070.003Clear Command HistoryT1070.001Clear Windows Event LogsT1105Ingress Tool TransferT1036.005Match Legitimate Resource Name or LocationT1070.010Relocate MalwareT1485Data Destruction

Same Tactic: Defense Evasion

Popular Detections