detection.wiki

ATT&CK coverage › Technique

Indicator Removal: File Deletion T1070.004

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Events covered

10 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)
Sysmon23FileDelete (File Delete archived)
Sysmon26FileDeleteDetected (File Delete logged)
Security-Auditing4656A handle to an object was requested.
Security-Auditing4658The handle to an object was closed.
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4688A new process has been created.
Backup524The system catalog has been deleted.

Authoring guide

Patterns shared across the 15 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (10 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image7ends_with 5, eq 2\cmd.exe, C:\Program Files\PowerShell\7\pwsh.exe, C:\Program Files\Mozilla Firefox\firefox.exe, C:\Windows\explorer.exe, :\windows\system32\svchost.exe
TargetFilename7ends_with 4, match 2, eq 2, in 1:Zone.Identifier, .AAA, \Wireshark\radius\dictionary.alcatel-lucent.aaa, .ZZZ, .pf
CommandLine5match 5del , erase , /q, rmdir, /s
OriginalFileName4eq 4Cmd.Exe
EventID3in 2, eq 1"23", "26", 23
Provider_Name1eq 1Microsoft-Windows-Backup
ObjectName1ends_with 1.AAA, .ZZZ
user1match 1AUTORI, AUTHORI
EventType1eq 1deleted
registry_path1eq 1"*\\Microsoft\\Terminal Server Client\\Servers\\*"

Top indicator values (57 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Imageends_with\cmd.exe492
OriginalFileNameeqCmd.Exe432
CommandLinematchdel 35
CommandLinematcherase 23
CommandLinematchping24
CommandLinematch -n 25
EventIDin"23"26
EventIDin"26"26
ImageeqC:\Program Files (x86)\Mozilla Firefox\firefox.exe111
ImageeqC:\Program Files\PowerShell\7\pwsh.exe14
ImageeqC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe14
ImageeqC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe111
TargetFilenameends_with:Zone.Identifier13
ImageeqC:\Program Files\Microsoft\Edge\Application\msedge.exe111
ImageeqC:\Program Files\PowerShell\7-preview\pwsh.exe13
ImageeqC:\Windows\SysWOW64\explorer.exe12
ImageeqC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe13
ImageeqC:\Windows\explorer.exe19
ImageeqC:\Program Files (x86)\Google\Chrome\Application\chrome.exe111
ImageeqC:\Program Files\Google\Chrome\Application\chrome.exe112

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 11 rules

Splunk 4 rules