Indicator Removal T1070

Events covered

24 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 176 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (106 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (874 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (196 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 62 rules

• ADS Zone.Identifier Deleted
• ADS Zone.Identifier Deleted By Uncommon Application
• Backup Catalog Deleted
• Cisco Clear Logs
• Cisco File Deletion
• Clear PowerShell History - PowerShell
• Clear PowerShell History - PowerShell Module
• Clearing Windows Console History
• Directory Removal Via Rmdir
• Disable Administrative Share Creation at Startup
• Disable of ETW Trace - Powershell
• Disable Powershell Command History
• DLL Load By System Process From Suspicious Locations
• ETW Trace Evasion Activity
• Event log clear attempt (command)
• Event log clear attempt (PowerShell)
• Event log clear attempt (wmi)
• Event log cleared (native)
• Event log cleared using Diagnostics (via PowerShell)
• EventLog EVTX File Deleted
• Exchange PowerShell Cmdlet History Deleted
• File Creation Date Changed to Another Year
• File Deleted Via Sysinternals SDelete
• File Deletion
• File Deletion Via Del
• File Time Attribute Change
• File Time Attribute Change - Linux
• Filter Driver Unloaded Via Fltmc.EXE
• Fsutil Suspicious Invocation
• Greedy File Deletion Using Del
• IIS WebServer Access Logs Deleted
• IIS WebServer Log Deletion via CommandLine Utilities
• Kubernetes Events Deleted
• Linux Command History Tampering
• Linux Package Uninstall
• macOS Data Destruction Tools
• macOS ESF Deletion In Sensitive Directories
• MaxMpxCt Registry Value Changed
• Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
• Potential Secure Deletion with SDelete
• Potentially Suspicious Ping/Copy Command Combination
• PowerShell Console History Logs Deleted
• PowerShell Deleted Mounted Share
• Powershell Timestomp
• Prefetch File Deleted
• RunMRU Registry Key Deletion
• RunMRU Registry Key Deletion - Registry
• SES Identity Has Been Deleted
• Shadow Copies Deletion Using Operating Systems Utilities
• Suspicious IO.FileStream
• Suspicious Ping/Del Command Combination
• Sysmon Driver Unloaded Via Fltmc.EXE
• System time changed
• System time changed (PowerShell)
• TeamViewer Log File Deleted
• Terminal Server Client Connection History Cleared - Registry
• Tomcat WebServer Logs Deleted
• Touch Suspicious Service File
• Unauthorized System Time Modification
• Unmount Share Via Net.EXE
• Use Of Remove-Item to Delete File - ScriptBlock
• Windows Mail App Mailbox Access Via PowerShell Script

Elastic 32 rules

• Attempt to Clear Kernel Ring Buffer
• Attempt to Clear Logs via Journalctl
• AWS S3 Bucket Configuration Deletion
• AWS S3 Bucket Expiration Lifecycle Configuration Added
• Clearing Windows Console History
• Clearing Windows Event Logs
• Delete Volume USN Journal with Fsutil
• Disable Windows Event and Security Logs Using Built-in Tools
• ESXI Timestomping using Touch Command
• File Creation in /var/log via Suspicious Process
• File Creation, Execution and Self-Deletion in Suspicious Directory
• File Deletion via Shred
• File or Directory Deletion Command
• Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
• Kubernetes Events Deleted
• Linux User or Group Deletion
• M365 Exchange MFA Notification Email Deleted or Moved
• Potential REMCOS Trojan Execution
• Potential Secure File Deletion via SDelete Utility
• Potential Timestomp in Executable Files
• PowerShell Script with Log Clear Capabilities
• Sensitive Audit Policy Sub-Category Disabled
• Shell Command-Line History Deletion Detected via Defend for Containers
• Shell History Clearing via Environment Variables
• SSH Authorized Keys File Deletion
• SSL Certificate Deletion
• Suspicious Print Spooler File Deletion
• System Log File Deletion
• Tampering of Shell Command-Line History
• Timestomping using Touch Command
• WebServer Access Logs Deleted
• Windows Event Logs Cleared

Splunk 42 rules

• Cisco ASA - Logging Message Suppression
• Cisco ASA - User Account Deleted From Local Database
• Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal
• Clear Unallocated Sector Using Cipher App
• Clear Windows Event Logs (Windows Event Log)
• Create or delete windows shares using net exe
• ESXi Audit Tampering
• ESXi System Clock Manipulation
• ETW Trace Provider Modified - PowerShell (PowerShell)
• Fsutil Zeroing File
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion Of Cron Jobs
• Linux Deletion Of Init Daemon Script
• Linux Deletion Of Services
• Linux Deletion of SSL Certificate
• Linux High Frequency Of File Deletion In Boot Folder
• Linux High Frequency Of File Deletion In Etc Folder
• Linux Indicator Removal Clear Cache
• Linux Indicator Removal Service File Deletion
• MacOS Log Removal
• Network Share Connection Removal (PowerShell)
• NirCmd Execution (Sysmon)
• NirCmd Execution (Windows Event Log)
• O365 Email Hard Delete Excessive Volume
• O365 Email Password and Payroll Compromise Behavior
• O365 Email Receive and Hard Delete Takeover Behavior
• O365 Email Send and Hard Delete Exfiltration Behavior
• O365 Email Send and Hard Delete Suspicious Behavior
• O365 Email Send Attachments Excessive Volume
• Process Deleting Its Process File Path
• Recursive Delete of Directory In Batch CMD
• Sdelete Application Execution
• Timestamp Manipulation (PowerShell)
• Timestamp Manipulation (Windows Event Log)
• USN Journal Deletion
• Windows ConsoleHost History File Deletion
• Windows Default Rdp File Deletion
• Windows Indicator Removal Via Rmdir
• Windows Powershell History File Deletion
• Windows Rdp AutomaticDestinations Deletion
• Windows RDP Cache File Deletion
• Windows RDP Server Registry Deletion

Kusto 29 rules

• AWSCloudTrail - Changes made to AWS CloudTrail logs
• Bitglass - The SmartEdge endpoint agent was uninstalled
• BTP - Build Work Zone unauthorized access and role tampering
• BTP - Cloud Integration tampering with security material
• CiscoISE - Attempt to delete local store logs
• CiscoISE - Log files deleted
• Clearing of forensic evidence from event logs using wevtutil
• Dataverse - Audit log data deletion
• McAfee ePO - Attempt uninstall McAfee agent
• McAfee ePO - Error sending alert
• McAfee ePO - File added to exceptions
• McAfee ePO - Logging error occurred
• McAfee ePO - Multiple threats on same host
• McAfee ePO - Scanning engine disabled
• McAfee ePO - Task error
• McAfee ePO - Threat was not blocked
• McAfee ePO - Unable to clean or delete infected file
• McAfee ePO - Update failed
• NRT Security Event log cleared
• OCI - Event rule deleted
• Potential Ransomware activity related to Cobalt Strike
• Powershell Empire Cmdlets Executed in Command Line
• Qakbot Campaign Self Deletion
• Security Event log cleared
• Sentinel One - Agent uninstalled from multiple hosts
• Sentinel One - Blacklist hash deleted
• Sentinel One - Exclusion added
• Sentinel One - Rule deleted
• Sentinel One - Rule disabled

YARA-L 1 rule

• Windows Event Log Cleared

Panther 10 rules

• AWS RDS Snapshot Deleted
• Azure Automation Runbook Deleted
• Crowdstrike API Key Deleted
• Crowdstrike Ephemeral User Account
• Crowdstrike Systemlog Tampering
• Crowdstrike User Deleted
• Databricks Access Token Revoked
• Slack App Removed
• Slack DLP Modified
• Wiz User Created Or Deleted