Skip to content

DET0140 Behavioral Detection of Malicious File Deletion

Item Value
ID DET0140
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1070.004 (File Deletion)

Analytics

Windows

AN0392

Detects adversary behavior deleting artifacts (e.g., dropped payloads, evidence files) using native or external utilities (e.g., del, erase, SDelete). Detects deletion events correlated with unusual process lineage or timing post-execution.

Log Sources
Data Component Name Channel
File Deletion (DC0040) WinEventLog:Sysmon EventCode=23
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Mutable Elements
Field Description
TimeWindow Defines correlation window after suspicious binary execution or login session.
FilePathPattern Focuses on deletion of temp files, malware staging dirs, or known indicators.
UserContext Privilege level or impersonated user deleting sensitive files.

Linux

AN0393

Detects deletion of suspicious files (e.g., payloads, temp exes, scripts) via rm, unlink, or secure deletion tools like shred, especially when performed by unexpected users or shortly after execution.

Log Sources
Data Component Name Channel
File Deletion (DC0040) auditd:SYSCALL PATH
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
PathRegex Pattern matching known attacker staging directories or hidden file paths.
TimeWindow Deletion shortly after process execution or privilege escalation.
SecureDeletionTool Uncommon presence or use of shred, wipe, or srm.

macOS

AN0394

Detects removal of adversary artifacts via rm, unlink, or secure tools, with focus on shell sessions, temp files, and modified LaunchAgents or system directories.

Log Sources
Data Component Name Channel
File Modification (DC0061) fs:fsusage unlink, write
Process Creation (DC0032) macos:unifiedlog process
Mutable Elements
Field Description
FilePathRegex Focus on LaunchAgents, /tmp/, or user folders.
ToolUsageAnomaly Detecting use of unfamiliar tools by common users.

ESXi

AN0395

Detects manual or scripted removal of logs, artifacts, or malware droppings via rm or PowerCLI in ESXi shell. Focus on deletions from /tmp/, /var/core/, or /scratch.

Log Sources
Data Component Name Channel
File Deletion (DC0040) esxi:shell /var/log/shell.log
Mutable Elements
Field Description
LogFilePath Match deletion actions in system-critical locations or malware drop zones.
TimeWindow Typically follows suspicious admin login or unexpected shell session.