T1070.004

File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operatin...

ESXiLinuxmacOSWindows

Detections

Sources

Threat Actors

BY SOURCE

15splunk_escu13sigma12elastic

PROCEDURES (17)

General Monitoring9 detections

Auto-extracted: 9 detections for general monitoring

Process Creation Monitoring8 detections

Auto-extracted: 8 detections for process creation monitoring

Event Log4 detections

Auto-extracted: 4 detections for event log

File Monitoring4 detections

Auto-extracted: 4 detections for file monitoring

Service2 detections

Auto-extracted: 2 detections for service

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Unusual1 detections

Auto-extracted: 1 detections for unusual

Evasion1 detections

Auto-extracted: 1 detections for evasion

Lateral1 detections

Auto-extracted: 1 detections for lateral

Registry1 detections

Auto-extracted: 1 detections for registry

Evasion1 detections

Auto-extracted: 1 detections for evasion

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

DETECTIONS (40)

ADS Zone.Identifier Deleted By Uncommon Application

sigmamedium

Backup Catalog Deleted

File Deletion

BY SOURCE

PROCEDURES (17)

THREAT ACTORS (46)

DETECTIONS (40)