Threat Actors may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by Threat Actors (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.