MITRE ATT&CK Technique
Defense Evasion T1107
Description

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)

Supported Platforms
Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:31:17.915Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may delete files left behind by the actions of '
                'their intrusion activity. Malware, tools, or other non-native '
                'files dropped or created on a system by an adversary may '
                'leave traces to indicate to what was done within a network '
                'and how. Removal of these files can occur during an '
                'intrusion, or as part of a post-intrusion process to minimize '
                "the adversary's footprint.\n"
                '\n'
                'There are tools available from the host operating system to '
                'perform cleanup, but adversaries may use other tools as well. '
                'Examples include native '
                '[cmd](https://attack.mitre.org/software/S0106) functions such '
                'as DEL, secure deletion tools such as Windows Sysinternals '
                'SDelete, or other third-party file deletion tools. (Citation: '
                'Trend Micro APT Attack Tools)',
 'external_references': [{'external_id': 'T1107',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1107'},
                         {'description': 'Wilhoit, K. (2013, March 4). '
                                         'In-Depth Look: APT Attack Tools of '
                                         'the Trade. Retrieved December 2, '
                                         '2015.',
                          'source_name': 'Trend Micro APT Attack Tools',
                          'url': 'http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/'}],
 'id': 'attack-pattern--56fca983-1cf1-4fd1-bda0-5e170a37ab59',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:49.115Z',
 'name': 'File Deletion',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Walker Johnson'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About