1. Home
  2. Data Components
  3. File Deletion

File Deletion

Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.

This data component can be collected through the following measures:

Windows

  • Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes.
  • Windows Event Log: Enable "Object Access" auditing to monitor file deletions.
  • PowerShell: Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -like '*DELETE*'}

Linux

  • Auditd: Use audit rules to capture file deletion events: auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion
  • Query logs: ausearch -k file_deletion
  • Inotify: Use inotifywait to monitor file deletions: inotifywait -m /path/to/watch -e delete

macOS

  • Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities.
  • FSEvents: Track file deletion activities in real-time: fs_usage | grep unlink

SIEM Integration

  • Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events.
ID: DC0040
Domains: ICS, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:CONFIG_CHANGE /etc/fstab, /etc/systemd/*
auditd:SYSCALL unlink/unlinkat on service binaries or data targets
auditd:SYSCALL file deletion
auditd:SYSCALL PATH
auditd:SYSCALL unlink, unlinkat, openat, write
auditd:SYSCALL unlink, unlinkat, rmdir
auditd:SYSCALL unlink, rename, open
auditd:SYSCALL unlink/unlinkat
docker:daemon container file operations
esxi:hostd delete action
esxi:hostd rm, clearlogs, logrotate
esxi:hostd Datastore file operations
esxi:shell shell history
esxi:shell /var/log/shell.log
File None
fs:fsusage unlink, fs_delete
linux:Sysmon EventCode=23
macos:osquery file_events
macos:osquery CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes
macos:unifiedlog exec rm -rf|dd if=/dev|srm|file unlink
WinEventLog:Microsoft-Windows-Backup Windows Backup Catalog deletion or catalog corruption
WinEventLog:Sysmon EventCode=23

Detection Strategy

ID Name Technique Detected
DET0021 Behavioral Detection for Service Stop across Platforms T1489
DET0329 Behavioral Detection for T1490 - Inhibit System Recovery T1490
DET0165 Behavioral Detection of Command History Clearing T1070.003
DET0184 Behavioral Detection of Indicator Removal Across Platforms T1070
DET0520 Behavioral Detection of Log File Clearing on Linux and macOS T1070.002
DET0266 Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics T1070.008
DET0140 Behavioral Detection of Malicious File Deletion T1070.004
DET0758 Detection of Data Destruction T0809
DET0146 Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns T1485
DET0532 Detection of Event Log Clearing on Windows via Behavioral Chain T1070.001
DET0750 Detection of Indicator Removal on Host T0872
DET0439 Detection of Malware Relocation via Suspicious File Movement T1070.010
DET0040 Detection of Persistence Artifact Removal Across Host Platforms T1070.009
DET0193 Detection Strategy for Stored Data Manipulation across OS Platforms. T1565.001