Detect File Deletion in Microsoft Sentinel
Adversaries delete files created during their intrusion to remove forensic evidence of their presence. This includes malware droppers, staged tools, credential harvest output files, scan results, and exfiltrated data copies. Common methods include the del or erase commands on Windows, rm or unlink on Linux/macOS, PowerShell Remove-Item, and specialized secure-deletion tools like SDelete (Sysinternals) which overwrites file content before deletion to prevent recovery. Self-deleting malware (RansomHub, SamSam, ProLock, APT38's CLOSESHAVE utility, TeamTNT, Aquatic Panda) is extremely common — the malware executes then schedules its own deletion via cmd.exe /c del commands or moves itself to TEMP and deletes. Detection relies on correlating file creation events with rapid subsequent deletion, process lineage anomalies (svchost.exe or Office processes deleting files from TEMP), and behavioral baselining of which processes legitimately delete from which directories.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.004 File Deletion
- Canonical reference
- https://attack.mitre.org/techniques/T1070/004/
KQL Detection Query
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileDeleted"
| where (
// Executables/scripts deleted from staging directories
(FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\ProgramData\\", "\\Users\\Public\\", "\\Windows\\Temp\\")
and (FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".bat"
or FileName endswith ".ps1" or FileName endswith ".vbs" or FileName endswith ".js"
or FileName endswith ".hta" or FileName endswith ".cmd"))
or
// SDelete usage (overwrites then deletes — generates high-volume file events)
(InitiatingProcessFileName =~ "sdelete.exe" or InitiatingProcessFileName =~ "sdelete64.exe")
or
// Process deleting its own executable (self-deletion pattern)
(InitiatingProcessFolderPath =~ FolderPath and InitiatingProcessFileName =~ FileName)
)
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "uninstall.exe", "MpSigStub.exe",
"TiWorker.exe", "TrustedInstaller.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by Timestamp descDetects suspicious file deletion patterns across three key scenarios: (1) executables, scripts, and DLLs deleted from commonly used staging directories (TEMP, AppData, ProgramData, Windows\Temp) — common for malware cleaning up droppers; (2) SDelete execution — secure deletion tool that overwrites file contents before deletion to prevent forensic recovery; (3) self-deletion patterns where the initiating process folder matches the deleted file folder and names match — signature of self-deleting malware. Excludes known-good installer and update processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers and updaters that clean up temporary files after installation completes
- Antivirus quarantine and remediation tools deleting malware samples they have identified and contained
- Build systems and CI/CD pipelines that compile code and clean up intermediate artifacts in TEMP directories
- IT management tools like SCCM or PDQ that deploy and remove packages, leaving temporary files that are then cleaned up
Other platforms for T1070.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Delete Staged Executable from TEMP Directory
Expected signal: Sysmon EventCode 11 (FileCreate) for argus_test_payload.exe in TEMP. Sysmon EventCode 23 (FileDelete) for the same file 2 seconds later. DeviceFileEvents in MDE: FileCreated then FileDeleted for the same path within seconds. Process creation for cmd.exe with del argument.
- Test 2Secure File Deletion with SDelete
Expected signal: Process creation for sdelete.exe with target file path argument. Multiple Sysmon EventCode 23 (FileDelete) or raw file write events as SDelete overwrites file content. Prefetch entry for SDELETE.EXE. MDE DeviceProcessEvents for sdelete.exe execution.
- Test 3PowerShell Self-Deletion Pattern
Expected signal: PowerShell process creation writing .ps1 script to TEMP. Child cmd.exe process launched with del command targeting the same .ps1 file path. Sysmon EventCode 11 (FileCreate) for the .ps1 then EventCode 23 (FileDelete) after the timeout. The parent-child chain PowerShell → cmd.exe /c del is a high-fidelity self-deletion indicator.
Unlock Pro Content
Get the full detection package for T1070.004 including response playbook, investigation guide, and atomic red team tests.