T1070.004 Splunk · SPL

Detect File Deletion in Splunk

Adversaries delete files created during their intrusion to remove forensic evidence of their presence. This includes malware droppers, staged tools, credential harvest output files, scan results, and exfiltrated data copies. Common methods include the del or erase commands on Windows, rm or unlink on Linux/macOS, PowerShell Remove-Item, and specialized secure-deletion tools like SDelete (Sysinternals) which overwrites file content before deletion to prevent recovery. Self-deleting malware (RansomHub, SamSam, ProLock, APT38's CLOSESHAVE utility, TeamTNT, Aquatic Panda) is extremely common — the malware executes then schedules its own deletion via cmd.exe /c del commands or moves itself to TEMP and deletes. Detection relies on correlating file creation events with rapid subsequent deletion, process lineage anomalies (svchost.exe or Office processes deleting files from TEMP), and behavioral baselining of which processes legitimately delete from which directories.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.004 File Deletion
Canonical reference
https://attack.mitre.org/techniques/T1070/004/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=23
| where (match(TargetFilename, "(?i)(\\\\Temp\\\\|\\\\AppData\\\\Local\\\\Temp\\\\|\\\\ProgramData\\\\|\\\\Users\\\\Public\\\\|\\\\Windows\\\\Temp\\\\)")
         AND match(TargetFilename, "(?i)\\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$"))
   OR (Image like "%sdelete.exe" OR Image like "%sdelete64.exe")
| where NOT (Image like "%msiexec.exe" OR Image like "%TrustedInstaller.exe" OR Image like "%TiWorker.exe")
| eval DeletionType=case(
    Image like "%sdelete%", "SDelete Secure Deletion",
    match(TargetFilename, "(?i)\\.(exe|dll)$"), "Binary Deletion from Staging Dir",
    match(TargetFilename, "(?i)\\.(ps1|bat|cmd|vbs|js|hta)$"), "Script Deletion from Staging Dir",
    true(), "Other File Deletion"
  )
| table _time, host, User, Image, CommandLine, TargetFilename, DeletionType
| sort - _time
medium severity medium confidence

Detects file deletion events via Sysmon EventCode 23 (FileDelete). Focuses on executable and script files deleted from staging directories commonly used by adversaries (TEMP, AppData, ProgramData, Windows\Temp). Also detects SDelete tool usage regardless of file type since SDelete is rarely used by non-adversaries in enterprise environments. Classifies deletion events by type for triage prioritization.

Data Sources

File: File DeletionSysmon Event ID 23

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Software deployment tools cleaning up temporary installation files after successful package installation
  • Security tools that delete quarantined malware samples from staging directories
  • Developer workstations running build scripts that compile then delete intermediate binary artifacts
  • Patch management solutions extracting and deleting temporary patch files from Windows\Temp
Download portable Sigma rule (.yml)

Other platforms for T1070.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Delete Staged Executable from TEMP Directory

    Expected signal: Sysmon EventCode 11 (FileCreate) for argus_test_payload.exe in TEMP. Sysmon EventCode 23 (FileDelete) for the same file 2 seconds later. DeviceFileEvents in MDE: FileCreated then FileDeleted for the same path within seconds. Process creation for cmd.exe with del argument.

  2. Test 2Secure File Deletion with SDelete

    Expected signal: Process creation for sdelete.exe with target file path argument. Multiple Sysmon EventCode 23 (FileDelete) or raw file write events as SDelete overwrites file content. Prefetch entry for SDELETE.EXE. MDE DeviceProcessEvents for sdelete.exe execution.

  3. Test 3PowerShell Self-Deletion Pattern

    Expected signal: PowerShell process creation writing .ps1 script to TEMP. Child cmd.exe process launched with del command targeting the same .ps1 file path. Sysmon EventCode 11 (FileCreate) for the .ps1 then EventCode 23 (FileDelete) after the timeout. The parent-child chain PowerShell → cmd.exe /c del is a high-fidelity self-deletion indicator.

Last updated: 2026-04-13 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1070.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1070.003Clear Command HistoryT1070.001Clear Windows Event LogsT1105Ingress Tool TransferT1036.005Match Legitimate Resource Name or LocationT1070.010Relocate MalwareT1485Data Destruction

Same Tactic: Defense Evasion

Popular Detections