1. Home
  2. Detection Strategies
  3. Behavioral Detection of Malicious File Deletion

Behavioral Detection of Malicious File Deletion

Technique Detected:  File Deletion | T1070.004

ID: DET0140
Domains: Enterprise
Analytics: AN0392, AN0393, AN0394, AN0395
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0392

Detects adversary behavior deleting artifacts (e.g., dropped payloads, evidence files) using native or external utilities (e.g., del, erase, SDelete). Detects deletion events correlated with unusual process lineage or timing post-execution.

Log Sources
Data Component Name Channel
File Deletion (DC0040) WinEventLog:Sysmon EventCode=23
File Access (DC0055) WinEventLog:Security EventCode=4663
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4104
Mutable Elements
Field Description
TimeWindow Defines correlation window after suspicious binary execution or login session.
FilePathPattern Focuses on deletion of temp files, malware staging dirs, or known indicators.
UserContext Privilege level or impersonated user deleting sensitive files.

AN0393

Detects deletion of suspicious files (e.g., payloads, temp exes, scripts) via rm, unlink, or secure deletion tools like shred, especially when performed by unexpected users or shortly after execution.

Log Sources
Data Component Name Channel
File Deletion (DC0040) auditd:SYSCALL PATH
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
PathRegex Pattern matching known attacker staging directories or hidden file paths.
TimeWindow Deletion shortly after process execution or privilege escalation.
SecureDeletionTool Uncommon presence or use of `shred`, `wipe`, or `srm`.

AN0394

Detects removal of adversary artifacts via rm, unlink, or secure tools, with focus on shell sessions, temp files, and modified LaunchAgents or system directories.

Log Sources
Data Component Name Channel
File Modification (DC0061) fs:fsusage unlink, write
Process Creation (DC0032) macos:unifiedlog process
Mutable Elements
Field Description
FilePathRegex Focus on LaunchAgents, /tmp/, or user folders.
ToolUsageAnomaly Detecting use of unfamiliar tools by common users.

AN0395

Detects manual or scripted removal of logs, artifacts, or malware droppings via rm or PowerCLI in ESXi shell. Focus on deletions from /tmp/, /var/core/, or /scratch.

Log Sources
Data Component Name Channel
File Deletion (DC0040) esxi:shell /var/log/shell.log
Mutable Elements
Field Description
LogFilePath Match deletion actions in system-critical locations or malware drop zones.
TimeWindow Typically follows suspicious admin login or unexpected shell session.