Description
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include del on Windows, rm or unlink on Linux and macOS, and rm on ESXi.
Platforms
Threat Groups (47)
| ID | Group | Context |
|---|---|---|
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has deleted malicious executables from compromised machines.(Citation: CrowdStrike AQUATIC PAND... |
| G0051 | FIN10 | [FIN10](https://attack.mitre.org/groups/G0051) has used batch scripts and scheduled tasks to delete critical system files.(Citation: FireEye FIN10 Jun... |
| G0045 | menuPass | A [menuPass](https://attack.mitre.org/groups/G0045) macro deletes files after it has decoded and decompressed them.(Citation: Accenture Hogfish April ... |
| G0060 | BRONZE BUTLER | The [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) uploader or malware the uploader uses <code>command</code> to delete the RAR archives after... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has deleted dropper files on an infected system using command scripts.(Citation: TrendMicro Tr... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used a payload that removes itself after running. [TeamTNT](https://attack.mitre.org/groups/G0139... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also re... |
| G0053 | FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) uses [SDelete](https://attack.mitre.org/software/S0195) to clean up the environment and attempt to preve... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used tools including [Wevtutil](https://attack.mitre.org/software/S0645) to remove malicious files f... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) deleted ransomware executables post-encryption.(Citation: Picus BlackByte 2022)(Citation: Symantec ... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) deletes files related to lateral movement to avoid detection.(Citation: Cadet Blizzard emerges as ... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has deleted directories containing malware and archives with files collected from the victim envir... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has deleted the exfiltrated data on disk after transmission. [Kimsuky](https://attack.mitre.org/group... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has deleted files associated with their payload after execution.(Citation: FireEye APT34 Dec 2017)(Cit... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has removed files from victim machines.(Citation: FireEye FIN6 April 2016) |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) deleted files from the system.(Citation: FireEye APT41 Aug 2019)(Citation: Rostovcev APT41 2021) |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used malware to delete files after they are deployed on a compromised host.(Citation: FBI FLASH APT... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used [SDelete](https://attack.mitre.org/software/S0195) to remove artifacts from victim networks.(C... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used file deletion to remove some modules and configurations from an infected host after us... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has intentionally deleted computer files to cover their tracks, including with use of the program CClea... |
Associated Software (248)
| ID | Name | Type | Context |
|---|---|---|---|
| S0164 | TDTESS | Malware | [TDTESS](https://attack.mitre.org/software/S0164) creates then deletes log files during installation of itself as a service.(Citation: ClearSky Wilted... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can delete files to remove traces of activity from victim systems.(Citation: ITOCHU LODEINFO JAN 2... |
| S0395 | LightNeuron | Malware | [LightNeuron](https://attack.mitre.org/software/S0395) has a function to delete files.(Citation: ESET LightNeuron May 2019) |
| S1150 | ROADSWEEP | Malware | [ROADSWEEP](https://attack.mitre.org/software/S1150) can use embedded scripts to remove itself from the infected host.(Citation: Mandiant ROADSWEEP Au... |
| S0654 | ProLock | Malware | [ProLock](https://attack.mitre.org/software/S0654) can remove files containing its payload after they are executed.(Citation: Group IB Ransomware Sept... |
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) has the ability to self-delete.(Citation: Group-IB RansomHub FEB 2025) |
| S0354 | Denis | Malware | [Denis](https://attack.mitre.org/software/S0354) has a command to delete files from the victim’s machine.(Citation: Cybereason Oceanlotus May 2017)(Ci... |
| S0448 | Rising Sun | Malware | [Rising Sun](https://attack.mitre.org/software/S0448) can delete files and artifacts it creates.(Citation: McAfee Sharpshooter December 2018) |
| S0593 | ECCENTRICBANDWAGON | Malware | [ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593) can delete log files generated from the malware stored at <code>C:\windows\temp\tmp0207<... |
| S0370 | SamSam | Malware | [SamSam](https://attack.mitre.org/software/S0370) has been seen deleting its own files and payloads to make analysis of the attack more difficult.(Cit... |
| S0390 | SQLRat | Malware | [SQLRat](https://attack.mitre.org/software/S0390) has used been observed deleting scripts once used.(Citation: Flashpoint FIN 7 March 2019) |
| S1027 | Heyoka Backdoor | Malware | [Heyoka Backdoor](https://attack.mitre.org/software/S1027) has the ability to delete folders and files from a targeted system.(Citation: SentinelOne A... |
| S0282 | MacSpy | Malware | [MacSpy](https://attack.mitre.org/software/S0282) deletes any temporary files it creates(Citation: alientvault macspy) |
| S0584 | AppleJeus | Malware | [AppleJeus](https://attack.mitre.org/software/S0584) has deleted the MSI file after installation.(Citation: CISA AppleJeus Feb 2021) |
| S0437 | Kivars | Malware | [Kivars](https://attack.mitre.org/software/S0437) has the ability to uninstall malware from the infected host.(Citation: TrendMicro BlackTech June 201... |
| S1105 | COATHANGER | Malware | [COATHANGER](https://attack.mitre.org/software/S1105) removes files from victim environments following use in multiple instances.(Citation: NCSC-NL CO... |
| S0527 | CSPY Downloader | Tool | [CSPY Downloader](https://attack.mitre.org/software/S0527) has the ability to self delete.(Citation: Cybereason Kimsuky November 2020) |
| S0344 | Azorult | Malware | [Azorult](https://attack.mitre.org/software/S0344) can delete files from victim machines.(Citation: Unit42 Azorult Nov 2018) |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) has been observed deleting its original launcher after installation.(Citation: Prevailion Dark... |
| S1182 | MagicRAT | Malware | [MagicRAT](https://attack.mitre.org/software/S1182) can delete files on victim systems, including itself.(Citation: Cisco MagicRAT 2022) |
References
Frequently Asked Questions
What is T1070.004 (File Deletion)?
T1070.004 is a MITRE ATT&CK technique named 'File Deletion'. It belongs to the Stealth tactic(s). Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfe...
How can T1070.004 be detected?
Detection of T1070.004 (File Deletion) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1070.004?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1070.004?
Known threat groups using T1070.004 include: Aquatic Panda, FIN10, menuPass, BRONZE BUTLER, Tropic Trooper, TeamTNT, APT38, FIN5.