Home/ATT&CK Technique/File Deletion
ATT&CK Technique

File Deletion

T1070.004 · stealth

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples of built-in Command and Scripting Interpreter functions include del on Windows, rm or unlink on Linux and macOS, and rm on ESXi.

ESXiLinuxmacOSWindows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
franceAnimal Farm
unknown_likely_russia_alignedAnubis Ransomware
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT28
russiaAPT29
chinaAPT31
iranAPT33

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development same
T1584.004 · Server ×1.18
initial-access same
T1195 · Supply Chain Compromise ×1.18
persistence same
T1505 · Server Software Component ×1.18T1037 · Boot or Logon Initialization Scripts ×1.18
privilege-escalation same
T1055 · Process Injection ×1.18T1134 · Access Token Manipulation ×1.18T1055.001 · Dynamic-link Library Injection ×1.18
discovery same
T1012 · Query Registry ×1.18
lateral-movement same
T1550.002 · Pass the Hash ×1.18
command-and-control same
T1573.002 · Asymmetric Cryptography ×1.18T1572 · Protocol Tunneling ×1.18
impact same
T1489 · Service Stop ×1.18
other same
T1070.001 · Clear Windows Event Logs ×1.18T1553.002 · Code Signing ×1.18T1070.006 · Timestomp ×1.18

Atomic Tests

11
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shlinux, macosDelete a single file - FreeBSD/Linux/macOS
Delete a single file from the temporary directory 
rm -f #{file_to_delete}
shlinux, macosDelete an entire folder - FreeBSD/Linux/macOS
Recursively delete the temporary directory and all files contained within it 
rm -rf #{folder_to_delete}
shlinuxOverwrite and delete a file with shred
Use the `shred` command to overwrite the temporary file and then delete it 
shred -u #{file_to_shred}
command_promptwindowsDelete a single file - Windows cmd
Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. 
del /f #{file_to_delete}
command_promptwindowsDelete an entire folder - Windows cmd
Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. 
rmdir /s /q #{folder_to_delete}
powershellwindowsDelete a single file - Windows PowerShell
Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. 
Remove-Item -path #{file_to_delete}
powershellwindowsDelete an entire folder - Windows PowerShell
Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. 
Remove-Item -Path #{folder_to_delete} -Recurse
shlinuxDelete Filesystem - Linux
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. 
[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null
powershellelevatedwindowsDelete Prefetch File
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run `(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count` before and after the test to verify that the number of prefetch files decreases by 1. 
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
powershellwindowsDelete TeamViewer Log Files
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. https://twitter.com/SBousseaden/status/1197524463304290305?s=20 
New-Item -Path #{teamviewer_log_file} -Force | Out-Null
Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore
command_promptelevatedwindowsClears Recycle bin via rd
An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files. [Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/) 
rd /s /q %systemdrive%\$RECYCLE.BIN

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 13
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Caldera Emulation

2
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
defense-evasionwindows, darwin, linuxDeadman - Delete agent file
$startupClass = Get-CimClass -ClassName Win32_ProcessStartup;
$startupInfo = New-CimInstance -CimClass $startupClass -Property @{ShowWindow = 0} -ClientOnly;
$processClass = Get-CimClass -ClassName Win32_Process;
Invoke-CimMethod -CimClass $processClass -MethodName Create -Arguments @{
    Commandline = 'cmd.exe /c "timeout /nobreak /t 10 >nul 2>nul & del /f #{location}"';
    ProcessStartupInformation = [CimInstance]$startupInfo
};
defense-evasiondarwin, linux, windowsDelete payload

Comply & Defend

D3FEND11 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin