Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0140: Behavioral Detection of Malicious File Deletion

DET0140 is a detection strategy for spotting malicious file deletion behavior associated with ATT&CK technique T1070.004, File Deletion. Its business value...

EnterpriseDET0140Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0140 is a detection strategy for spotting malicious file deletion behavior associated with ATT&CK technique T1070.004, File Deletion. Its business value is in preserving incident visibility: when adversaries remove tools, malware, or other files created during an intrusion, responders can lose evidence needed to determine scope, timeline, and recovery actions.

Executive priority

Prioritize this as an evidence-preservation and incident-readiness control. Security leaders should ask whether endpoint, server, and virtual infrastructure monitoring can show when important files are deleted, by which process or account, and whether that context is retained long enough to support investigation. This matters for operational resilience, audit defensibility, and reducing uncertainty during incident response, especially across Windows, Linux, macOS, and ESXi environments referenced by the related ATT&CK technique.

Technical view

The supplied ATT&CK object has no official description, detection text, platforms, or tactics of its own, but it detects T1070.004 File Deletion, which is associated with stealth and platforms including ESXi, Linux, macOS, and Windows. SOC and detection engineering teams should validate whether they can detect suspicious file deletion patterns, especially deletion of recently created adversary tools, malware, scripts, staged files, or other non-native artifacts following intrusion activity. IR teams should confirm that deletion events can be correlated with process execution, user/session context, file path, host identity, and surrounding transfer or execution activity where available.

Likely telemetry

  • File deletion events from endpoint, server, and workload monitoring
  • Process creation and command-line telemetry tied to deletion activity
  • File path, filename, hash, and timestamp metadata where retained
  • User, service account, and session context for the deleting process
  • Host and platform inventory for Windows, Linux, macOS, and ESXi systems covered by the related technique

Detection direction

  • Validate coverage for deletion events on systems in scope; do not assume the detection strategy covers all platforms because the DET0140 object itself lists no platforms.
  • Tune for suspicious context rather than deletion alone, since normal software updates, administrative cleanup, log rotation, and user activity can create high false-positive volume.
  • Correlate deletion with recently created or transferred files, unusual process ancestry, non-standard paths, privileged accounts, or activity occurring after other intrusion indicators.
  • Check blind spots where file deletion logging is disabled, too short-lived, not forwarded, or unavailable on specific operating systems or ESXi infrastructure.
  • Ensure detections preserve enough context for IR: deleting process, initiating identity, target path, timestamps, and related host activity.

Mitigation priorities

  • First, confirm logging and retention for file deletion and process activity on the platforms relevant to the related technique.
  • Second, harden evidence preservation by forwarding telemetry off-host where practical, so local deletion does not remove the only investigative record.
  • Third, restrict unnecessary write/delete permissions for sensitive directories and administrative tooling locations using least privilege.
  • Fourth, align SOC playbooks so suspicious deletion triggers scoping questions: what was deleted, who or what deleted it, what created it, and what activity occurred before and after.
  • Fifth, use incident response exercises to test whether responders can reconstruct file lifecycle events after adversary cleanup behavior.
Analyst notes and limits

This take is based on DET0140 and its relationship to T1070.004 File Deletion. The ATT&CK relationship provides the key context: adversaries may delete files left by intrusion activity to minimize their footprint. The detection strategy object itself is sparse, so the strongest defensive value is validating telemetry, correlation, and incident evidence handling rather than relying on a specific MITRE-provided analytic.

Official description and official detection content were not provided for DET0140, and the detection strategy lists no platforms or tactics. Platform and tactic context comes only from the related T1070.004 technique. Local environment data is required to determine actual logging coverage, detection quality, false-positive rates, and response readiness.

Official MITRE ATT&CK definition

Behavioral Detection of Malicious File Deletion

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1070.004 File Deletion Sub-technique This object detects File Deletion.
Relationship explorer

All related ATT&CK context

detects · Technique T1070.004: File Deletion Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cd5e956e65adb0ea...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cd5e956e65ad…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0140
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use