title: File Deletion (T1070.004)
id: df00tech-t1070-004
status: experimental
description: "Adversaries delete files created during their intrusion to remove forensic evidence of their presence. This includes malware droppers, staged tools, credential harvest output files, scan results, and exfiltrated data copies. Common methods include the del or erase commands on Windows, rm or unlink on Linux/macOS, PowerShell Remove-Item, and specialized secure-deletion tools like SDelete (Sysinternals) which overwrites file content before deletion to prevent recovery. Self-deleting malware (RansomHub, SamSam, ProLock, APT38's CLOSESHAVE utility, TeamTNT, Aquatic Panda) is extremely common — the malware executes then schedules its own deletion via cmd.exe /c del commands or moves itself to TEMP and deletes. Detection relies on correlating file creation events with rapid subsequent deletion, process lineage anomalies (svchost.exe or Office processes deleting files from TEMP), and behavioral baselining of which processes legitimately delete from which directories."
references:
  - https://attack.mitre.org/techniques/T1070/004/
  - https://df00tech.com/detections/T1070.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1070.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software installers and updaters that clean up temporary files after installation completes
  - Antivirus quarantine and remediation tools deleting malware samples they have identified and contained
  - Build systems and CI/CD pipelines that compile code and clean up intermediate artifacts in TEMP directories
  - "IT management tools like SCCM or PDQ that deploy and remove packages, leaving temporary files that are then cleaned up"
level: medium