Indicator Removal T1070
Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.
Events covered
21 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 87 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (42 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (385 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (80 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 50 rules
- ADS Zone.Identifier Deleted
- ADS Zone.Identifier Deleted By Uncommon Application
- Backup Catalog Deleted
- Clear PowerShell History - PowerShell
- Clear PowerShell History - PowerShell Module
- Clearing Windows Console History
- Directory Removal Via Rmdir
- Disable Administrative Share Creation at Startup
- Disable of ETW Trace - Powershell
- Disable Powershell Command History
- DLL Load By System Process From Suspicious Locations
- ETW Trace Evasion Activity
- Event log clear attempt (command)
- Event log clear attempt (PowerShell)
- Event log clear attempt (wmi)
- Event log cleared (native)
- Event log cleared using Diagnostics (via PowerShell)
- EventLog EVTX File Deleted
- Exchange PowerShell Cmdlet History Deleted
- File Creation Date Changed to Another Year
- File Deleted Via Sysinternals SDelete
- File Deletion Via Del
- Filter Driver Unloaded Via Fltmc.EXE
- Fsutil Suspicious Invocation
- Greedy File Deletion Using Del
- IIS WebServer Access Logs Deleted
- IIS WebServer Log Deletion via CommandLine Utilities
- MaxMpxCt Registry Value Changed
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
- Potential Secure Deletion with SDelete
- Potentially Suspicious Ping/Copy Command Combination
- PowerShell Console History Logs Deleted
- PowerShell Deleted Mounted Share
- Powershell Timestomp
- Prefetch File Deleted
- RunMRU Registry Key Deletion
- RunMRU Registry Key Deletion - Registry
- Shadow Copies Deletion Using Operating Systems Utilities
- Suspicious IO.FileStream
- Suspicious Ping/Del Command Combination
- Sysmon Driver Unloaded Via Fltmc.EXE
- System time changed
- System time changed (PowerShell)
- TeamViewer Log File Deleted
- Terminal Server Client Connection History Cleared - Registry
- Tomcat WebServer Logs Deleted
- Unauthorized System Time Modification
- Unmount Share Via Net.EXE
- Use Of Remove-Item to Delete File - ScriptBlock
- Windows Mail App Mailbox Access Via PowerShell Script
Elastic 10 rules
- Clearing Windows Console History
- Clearing Windows Event Logs
- Delete Volume USN Journal with Fsutil
- Disable Windows Event and Security Logs Using Built-in Tools
- File or Directory Deletion Command
- Potential REMCOS Trojan Execution
- Potential Timestomp in Executable Files
- Sensitive Audit Policy Sub-Category Disabled
- Suspicious Print Spooler File Deletion
- Windows Event Logs Cleared
Splunk 21 rules
- Clear Unallocated Sector Using Cipher App
- Clear Windows Event Logs (Windows Event Log)
- Create or delete windows shares using net exe
- ETW Trace Provider Modified - PowerShell (PowerShell)
- Fsutil Zeroing File
- Network Share Connection Removal (PowerShell)
- NirCmd Execution (Sysmon)
- NirCmd Execution (Windows Event Log)
- Process Deleting Its Process File Path
- Recursive Delete of Directory In Batch CMD
- Sdelete Application Execution
- Timestamp Manipulation (PowerShell)
- Timestamp Manipulation (Windows Event Log)
- USN Journal Deletion
- Windows ConsoleHost History File Deletion
- Windows Default Rdp File Deletion
- Windows Indicator Removal Via Rmdir
- Windows Powershell History File Deletion
- Windows Rdp AutomaticDestinations Deletion
- Windows RDP Cache File Deletion
- Windows RDP Server Registry Deletion
Kusto 5 rules
- Clearing of forensic evidence from event logs using wevtutil
- NRT Security Event log cleared
- Powershell Empire Cmdlets Executed in Command Line
- Qakbot Campaign Self Deletion
- Security Event log cleared