T1070.004 IBM QRadar · QRadar

Detect File Deletion in IBM QRadar

Adversaries delete files created during their intrusion to remove forensic evidence of their presence. This includes malware droppers, staged tools, credential harvest output files, scan results, and exfiltrated data copies. Common methods include the del or erase commands on Windows, rm or unlink on Linux/macOS, PowerShell Remove-Item, and specialized secure-deletion tools like SDelete (Sysinternals) which overwrites file content before deletion to prevent recovery. Self-deleting malware (RansomHub, SamSam, ProLock, APT38's CLOSESHAVE utility, TeamTNT, Aquatic Panda) is extremely common — the malware executes then schedules its own deletion via cmd.exe /c del commands or moves itself to TEMP and deletes. Detection relies on correlating file creation events with rapid subsequent deletion, process lineage anomalies (svchost.exe or Office processes deleting files from TEMP), and behavioral baselining of which processes legitimately delete from which directories.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.004 File Deletion
Canonical reference
https://attack.mitre.org/techniques/T1070/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username,
  sourceip,
  "filename",
  "filepath",
  "processname",
  "commandline",
  CATEGORYNAME(category) AS Category,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 352)
  AND (
    (
      LOWER("filepath") MATCHES '.*\\\\(temp|appdata\\local\\temp|programdata|users\\\\public|windows\\\\temp)\\\\.*'
      AND LOWER("filename") MATCHES '.*\\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$'
    )
    OR LOWER("processname") MATCHES '.*(sdelete|sdelete64)\.exe$'
    OR ("processname" IS NOT NULL AND "processname" = "filename")
  )
  AND LOWER("processname") NOT MATCHES '.*(msiexec|setup|uninstall|mpsigstub|tiworker|trustedinstaller)\.exe$'
  AND LOGSOURCETYPEID(logsourceid) NOT IN (105, 199)
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

Detects T1070.004 file deletion activity in QRadar by querying Sysmon Event ID 23 (FileDelete) and Windows Security events for deletion of executables/scripts from staging directories, SDelete usage, and self-deleting processes. Correlates process name with file path for self-deletion detection.

Data Sources

IBM QRadar SIEMSysmon (Event ID 23)Windows Security Event LogMicrosoft Windows DSM

Required Tables

events

False Positives & Tuning

  • Windows Installer (msiexec.exe) removing temporary installation packages from ProgramData or Temp during software deployment
  • Microsoft Defender (MsMpEng.exe) or third-party AV products removing quarantined malicious files detected in staging directories
  • Configuration management tools (SCCM, Ansible, Chef) that deploy scripts to temp directories and clean them up after execution
Download portable Sigma rule (.yml)

Other platforms for T1070.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Delete Staged Executable from TEMP Directory

    Expected signal: Sysmon EventCode 11 (FileCreate) for argus_test_payload.exe in TEMP. Sysmon EventCode 23 (FileDelete) for the same file 2 seconds later. DeviceFileEvents in MDE: FileCreated then FileDeleted for the same path within seconds. Process creation for cmd.exe with del argument.

  2. Test 2Secure File Deletion with SDelete

    Expected signal: Process creation for sdelete.exe with target file path argument. Multiple Sysmon EventCode 23 (FileDelete) or raw file write events as SDelete overwrites file content. Prefetch entry for SDELETE.EXE. MDE DeviceProcessEvents for sdelete.exe execution.

  3. Test 3PowerShell Self-Deletion Pattern

    Expected signal: PowerShell process creation writing .ps1 script to TEMP. Child cmd.exe process launched with del command targeting the same .ps1 file path. Sysmon EventCode 11 (FileCreate) for the .ps1 then EventCode 23 (FileDelete) after the timeout. The parent-child chain PowerShell → cmd.exe /c del is a high-fidelity self-deletion indicator.

Last updated: 2026-04-13 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1070.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1070.003Clear Command HistoryT1070.001Clear Windows Event LogsT1105Ingress Tool TransferT1036.005Match Legitimate Resource Name or LocationT1070.010Relocate MalwareT1485Data Destruction

Same Tactic: Defense Evasion

Popular Detections