MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Defense Evasion/ T1070.004

T1070.004File Deletion

T1070.004 — File Deletion is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 23 detection use cases covering it and 12 threat-intel articles citing it.

Defense Evasion

View on the matrix → Filter Detection Library MITRE official spec ↗

23Use cases

12Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1070 · Indicator Removal

Use cases covering this technique (23)

Clear Unallocated Sector Using Cipher App ESCU actions · alerting P Linux Account Manipulation Of SSH Config and Keys ESCU actions · hunting P Linux Deletion Of Cron Jobs ESCU actions · hunting P Linux Deletion Of Init Daemon Script ESCU actions · alerting P Linux Deletion Of Services ESCU actions · alerting P Linux Deletion of SSL Certificate ESCU actions · hunting P Linux High Frequency Of File Deletion In Boot Folder ESCU actions · alerting P Linux High Frequency Of File Deletion In Etc Folder ESCU actions · hunting P Linux Indicator Removal Service File Deletion ESCU actions · hunting P Recursive Delete of Directory In Batch CMD ESCU actions · alerting P Sdelete Application Execution ESCU actions · alerting P Windows Default Rdp File Deletion ESCU actions · hunting P Windows Rdp AutomaticDestinations Deletion ESCU actions · hunting P Windows RDP Cache File Deletion ESCU actions · hunting P Windows RDP Server Registry Deletion ESCU actions · hunting P [LLM] Anti-forensic deletion/tampering of macOS Tahoe 26 App.MenuItem Biome stream Bespoke actions · alerting DSΣPDDCS [LLM] MIPS shell-script dropper on Linux edge device — JDY architecture-aware payload fetch Bespoke install · hunting DSΣPDDCS [LLM] AWS CloudTrail S3 destination bucket emptied or deleted Bespoke actions · alerting DSPDDCW [LLM] Orphaned process (ppid=1) executing from /tmp hidden hex path (post-dropper stage-2) Bespoke actions · alerting DSΣPDDCS [LLM] PowerShell-parented taskkill of winrar.exe (Cloud Atlas LNK anti-forensic cleanup) Bespoke install · alerting DSΣPDDCS [LLM] Trinny marker file creation (.trinny-security-update) Bespoke install · alerting DSΣPDDCS [LLM] npm/PyPI dropper self-cleanup: find rm -rf of kube-health-tools in node_modules Bespoke install · alerting DSΣPDD [LLM] plain-crypto-js setup.js self-deletion or package.json overwrite (anti-forensics) Bespoke actions · hunting DSΣPDDCS

Articles citing this technique (12)

crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15

crit China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance art-59

high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility art-74

high Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets art-145

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219

crit Webworm: New burrowing techniques art-240

crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332

high Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers art-352

high GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays art-367

crit axios Compromised on npm - Malicious Versions Drop Remote Access Trojan art-401

crit EDR killers explained: Beyond the drivers art-455

crit PlushDaemon compromises network devices for adversary-in-the-middle attacks art-695