View on MITRE ATT&CK

T1070.004 - File Deletion

Sub-technique
Tactics:
Defense Evasion
Platforms:
ESXi Linux macOS Windows
Detection:
Not specified
Description:
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows, <code>rm</code> or <code>unlink</code> on Linux and macOS, and `rm` on ESXi.
Used by Actors (20)
APT3
Nation-state
APT18
Nation-state
APT28
Nation-state
APT29
Nation-state
Lazarus Group
Nation-state
FIN6
Unknown
OilRig
Nation-state
Gamaredon Group
Unknown
APT32
Nation-state
FIN8
Unknown
APT5
Unknown
Kimsuky
Nation-state
MUSTANG PANDA
Nation-state
WIZARD SPIDER
Nation-state
APT39
Unknown
FIN5
Unknown
FIN10
Unknown
Group5
Unknown
Rocke
Unknown
APT41
Nation-state
Malware (20)
PowerDuke other BLINDINGCAN other RCSession other Bumblebee other MURKYTOP other RDFSNIFFER other NICECURL other Proxysvc other NOKKI other Backdoor.Oldrea other Stuxnet other VersaMem other TDTESS other COATHANGER other HALFBAKED other WindTail other Misdat other Exaramel for Linux other KEYMARBLE other HAWKBALL other
Metadata
MITRE ID: T1070.004
STIX ID: attack-pattern--d63a3fb8-9452-...
Platforms: ESXi, Linux, macOS, Windows
Created: 13/01/2026 17:48
Updated: 06/03/2026 16:00