> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/defense-evasion/indicator-removal/file-deletion.md).

# File Deletion

**ATT\&CK ID:** [T1070.004](https://attack.mitre.org/techniques/T1070/004/)

**Description**

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

\[[Source](https://attack.mitre.org/techniques/T1070/004/)]

## Techniques

### CMD

```batch
# Delete File
del /f C:\TestFile.txt

# Delete Folder
rmdir /s /q C:\TestFolder
```

### PowerShell

```powershell
# Remove File
Remove-Item -Path C:\TestFile.txt -Force -Verbose

# Remove Folder
Remove-Item -Recurse -Path C:\TestFolder -Force -Verbose

# Remove Contents of Folder (Recursive)
Get-ChildItem -Recurse -Path C:\TestFolder | Remove-Item -Force -Verbose
```

![](/files/05zRgrKFfO6pQgyMQbOe)

### SDelete (Sysinternals)

**URL:** <https://download.sysinternals.com/files/SDelete.zip>

```bash
# Delete File securely 
SDelete.exe -accepteula -nobanner -p 3 C:\TestFile.ext

# Delete folder recursivley
SDelete.exe -accepteula -nobanner -p 3 -s C:\TestFolder 
```

![](/files/DI4AjlYfovyGkVxtok2U)

## Mitigation

* Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files.
* Monitor for unexpected deletion of files from the system

## Further Reading

**del:** <https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/del>

**Remove-Item:** <https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/remove-item?view=powershell-7.2>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/defense-evasion/indicator-removal/file-deletion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.