T1070.004 Sumo Logic CSE · Sumo

Detect File Deletion in Sumo Logic CSE

Adversaries delete files created during their intrusion to remove forensic evidence of their presence. This includes malware droppers, staged tools, credential harvest output files, scan results, and exfiltrated data copies. Common methods include the del or erase commands on Windows, rm or unlink on Linux/macOS, PowerShell Remove-Item, and specialized secure-deletion tools like SDelete (Sysinternals) which overwrites file content before deletion to prevent recovery. Self-deleting malware (RansomHub, SamSam, ProLock, APT38's CLOSESHAVE utility, TeamTNT, Aquatic Panda) is extremely common — the malware executes then schedules its own deletion via cmd.exe /c del commands or moves itself to TEMP and deletes. Detection relies on correlating file creation events with rapid subsequent deletion, process lineage anomalies (svchost.exe or Office processes deleting files from TEMP), and behavioral baselining of which processes legitimately delete from which directories.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.004 File Deletion
Canonical reference
https://attack.mitre.org/techniques/T1070/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*sysmon*
| where EventID = "23"
| parse field=Message "TargetFilename: *\n" as TargetFilename nodrop
| parse field=Message "Image: *\n" as Image nodrop
| parse field=Message "CommandLine: *\n" as CommandLine nodrop
| parse field=Message "User: *\n" as User nodrop
| where (
    (
      matches(TargetFilename, "(?i).*(\\\\Temp\\\\|\\\\AppData\\\\Local\\\\Temp\\\\|\\\\ProgramData\\\\|\\\\Users\\\\Public\\\\|\\\\Windows\\\\Temp\\\\).*")
      AND matches(TargetFilename, "(?i).*\\.(exe|dll|bat|ps1|vbs|js|hta|cmd)$")
    )
    OR matches(Image, "(?i).*(sdelete|sdelete64)\.exe$")
    OR (
      substring(Image, lastIndexOf(Image, "\\") + 1) = substring(TargetFilename, lastIndexOf(TargetFilename, "\\") + 1)
    )
  )
| where !(matches(Image, "(?i).*(msiexec|setup|uninstall|MpSigStub|TiWorker|TrustedInstaller)\.exe$"))
| eval DeletionType = if(matches(Image, "(?i).*sdelete.*"), "SDelete Secure Deletion",
    if(matches(TargetFilename, "(?i).*\\.(exe|dll)$"), "Binary Deletion from Staging Dir",
    if(matches(TargetFilename, "(?i).*\\.(ps1|bat|cmd|vbs|js|hta)$"), "Script Deletion from Staging Dir",
    "Self-Deletion Pattern")))
| table _messageTime, _sourceHost, User, Image, CommandLine, TargetFilename, DeletionType
| sort by _messageTime desc
high severity high confidence

Detects T1070.004 file deletion of executables and scripts from staging directories using Sysmon Event ID 23 (FileDelete). Also identifies SDelete secure deletion tool usage and process self-deletion patterns. Enriches events with a DeletionType classification for analyst triage.

Data Sources

Sumo Logic Cloud SIEMSysmon operational logs via Sumo Logic Installed CollectorWindows Event Log source

Required Tables

Sysmon Event ID 23 logs

False Positives & Tuning

  • Software packaging and deployment solutions removing bundled scripts after silent installations complete in corporate environments
  • Endpoint protection platforms (CrowdStrike Falcon, Carbon Black) performing remediation by deleting identified malware from temp directories
  • Developer IDEs and build systems (Visual Studio, JetBrains) that compile binaries to temp locations and delete intermediate artifacts after successful builds
Download portable Sigma rule (.yml)

Other platforms for T1070.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Delete Staged Executable from TEMP Directory

    Expected signal: Sysmon EventCode 11 (FileCreate) for argus_test_payload.exe in TEMP. Sysmon EventCode 23 (FileDelete) for the same file 2 seconds later. DeviceFileEvents in MDE: FileCreated then FileDeleted for the same path within seconds. Process creation for cmd.exe with del argument.

  2. Test 2Secure File Deletion with SDelete

    Expected signal: Process creation for sdelete.exe with target file path argument. Multiple Sysmon EventCode 23 (FileDelete) or raw file write events as SDelete overwrites file content. Prefetch entry for SDELETE.EXE. MDE DeviceProcessEvents for sdelete.exe execution.

  3. Test 3PowerShell Self-Deletion Pattern

    Expected signal: PowerShell process creation writing .ps1 script to TEMP. Child cmd.exe process launched with del command targeting the same .ps1 file path. Sysmon EventCode 11 (FileCreate) for the .ps1 then EventCode 23 (FileDelete) after the timeout. The parent-child chain PowerShell → cmd.exe /c del is a high-fidelity self-deletion indicator.

Last updated: 2026-04-13 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1070.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1070.003Clear Command HistoryT1070.001Clear Windows Event LogsT1105Ingress Tool TransferT1036.005Match Legitimate Resource Name or LocationT1070.010Relocate MalwareT1485Data Destruction

Same Tactic: Defense Evasion

Popular Detections