MITRE ATT&CK Technique
Defense Evasion T1070.004
Description

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows, <code>rm</code> or <code>unlink</code> on Linux and macOS, and `rm` on ESXi.

Supported Platforms
ESXi Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-01-31T12:35:36.479Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may delete files left behind by the actions of '
                'their intrusion activity. Malware, tools, or other non-native '
                'files dropped or created on a system by an adversary (ex: '
                '[Ingress Tool '
                'Transfer](https://attack.mitre.org/techniques/T1105)) may '
                'leave traces to indicate to what was done within a network '
                'and how. Removal of these files can occur during an '
                'intrusion, or as part of a post-intrusion process to minimize '
                "the adversary's footprint.\n"
                '\n'
                'There are tools available from the host operating system to '
                'perform cleanup, but adversaries may use other tools as '
                'well.(Citation: Microsoft SDelete July 2016) Examples of '
                'built-in [Command and Scripting '
                'Interpreter](https://attack.mitre.org/techniques/T1059) '
                'functions include <code>del</code> on Windows, '
                '<code>rm</code> or <code>unlink</code> on Linux and macOS, '
                'and `rm` on ESXi.',
 'external_references': [{'external_id': 'T1070.004',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1070/004'},
                         {'description': 'Russinovich, M. (2016, July 4). '
                                         'SDelete v2.0. Retrieved February 8, '
                                         '2018.',
                          'source_name': 'Microsoft SDelete July 2016',
                          'url': 'https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'}],
 'id': 'attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:49:27.978Z',
 'name': 'File Deletion',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Walker Johnson'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['ESXi', 'Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (46)
braincipher
Medium
donex
Low
Wizard Spider
High
UNC3886
High
Dragonfly
High
View All 46 Actors
Back to TTPs
Dashboard About