ATT&CK coverage › Technique

Indicator Removal `T1070`

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Events covered

12 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	2	A process changed a file creation time
Sysmon	7	Image loaded
Sysmon	14	RegistryEvent (Key and Value Rename)
Sysmon	23	FileDelete (File Delete archived)
Sysmon	26	FileDeleteDetected (File Delete logged)
Security-Auditing	4688	A new process has been created.
Security-Auditing	4719	System audit policy was changed.
Defender-DeviceProcessEvents	9001000	Process activity (any)
Eventlog	104	The LogFileCleared.Channel log file was cleared.
Eventlog	1102	The audit log was cleared.
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 24 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (21 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`CommandLine`	10	`match` 9, `ends_with` 1, `eq` 1	`unload`, `CL`, `WEVTUTIL`, `127.0.0.1`, `-n 6`
`Image`	8	`ends_with` 6, `starts_with` 1, `eq` 1	`\fltMC.exe`, `\powershell.exe`, `\pwsh.exe`, `C:\Windows\`, `\fsutil.exe`
`OriginalFileName`	6	`eq` 6	`fltMC.exe`, `fsutil.exe`, `powershell_ise.exe`, `cmd.exe`, `powershell.exe`
`TargetFilename`	5	`ends_with` 3, `match` 3, `starts_with` 2	`C:\Windows\System32\winevt\Logs\`, `.evtx`, `\Logging\CmdletInfra\LocalPowerShell\Cmdlet\`, `_Cmdlet_`, `\inetpub\logs\LogFiles\`
`EventType`	2	`in` 1, `eq` 1	`Log clear`, `audit-log-cleared`, `DeleteValue`, `DeleteKey`
`EventID`	2	`eq` 2	`1102`, `1`
`ScriptBlockText`	2	`match` 2	`Clear-History`, `(Get-PSReadlineOption).HistorySavePath`, `Remove-Item`, `Set-EtwTraceProvider` , `Remove-EtwTraceProvider`
`file.extension`	1	`eq` 1	`lnk`, `dll`, `msi`
`file.path`	1	`wildcard` 1	`?:\Windows\SysWOW64\`, `?:\Users\\AppData\Roaming\Microsoft\Windows\Start...`, `?:\Users\Public\*`
`Provider_Name`	1	`eq` 1	`Microsoft-Windows-Sysmon`
`AuditPolicyChangesDescription`	1	`eq` 1, `in` 1	`Success removed`, `Success Added`
`SubCategory`	1	`in` 1	`Process Creation`, `Security Group Management`, `User Account Management`
`Channel`	1	`in` 1	`System`, `Security`
`LogClearCount`	1	`gt` 1	`10`
`EventSourceName`	1	`eq` 1	`Microsoft-Windows-Eventlog`

Top indicator values (136 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`OriginalFileName`	`eq`	`fltMC.exe`	2	2
`Image`	`ends_with`	`\fltMC.exe`	2	2
`CommandLine`	`match`	`unload`	2	2
`Image`	`ends_with`	`\powershell.exe`	2	143
`Image`	`ends_with`	`\pwsh.exe`	2	140
`OriginalFileName`	`eq`	`pwsh.dll`	2	72
`CommandLine`	`match`	`delete`	2	7
`file.path`	`wildcard`	`?:\Windows\System32\*`	1
`file.extension`	`eq`	`exe`	1
`Provider_Name`	`eq`	`Microsoft-Windows-Sysmon`	1	3
`file.extension`	`eq`	`lnk`	1
`file.extension`	`eq`	`msi`	1
`file.path`	`wildcard`	`?:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`	1
`file.extension`	`eq`	`sys`	1
`file.path`	`wildcard`	`?:\ProgramData\*`	1
`file.path`	`wildcard`	`?:\Users\Public\*`	1
`file.path`	`wildcard`	`?:\Windows\SysWOW64\*`	1
`file.extension`	`eq`	`scr`	1
`file.extension`	`eq`	`dll`	1
`file.path`	`wildcard`	`?:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*`	1

Common exclusions (13 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

Field	Kind	Value	Rules excluding
`user`	`eq`	`Network Service`	1
`Image`	`wildcard`	`?:\Windows\system32\cleanmgr.exe`	1
`Image`	`wildcard`	`?:\Windows\System32\Robocopy.exe`	1
`Image`	`wildcard`	`?:\Program Files\*`	1
`file.path`	`starts_with`	`?:\Windows\System32\spool\`	1
`Image`	`wildcard`	`?:\Windows\syswow64\msiexec.exe`	1
`user`	`eq`	`SYSTEM`	1
`Image`	`wildcard`	`?:\Windows\SysWOW64\Robocopy.exe`	1
`user`	`eq`	`Local Service`	1
`Image`	`wildcard`	`?:\Windows\system32\svchost.exe`	1
`Image`	`eq`	`?:\Windows\System32\spoolsv.exe`	1
`Image`	`wildcard`	`?:\Windows\system32\msiexec.exe`	1
`Image`	`wildcard`	`?:\Program Files (x86)\*`	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 16 rules

Clearing Windows Console History severity high, 1 event, 5 indicators, 0 exclusions
Disable of ETW Trace - Powershell severity high, 1 event, 3 indicators, 0 exclusions
DLL Load By System Process From Suspicious Locations severity medium, 1 event, 3 indicators, 0 exclusions
ETW Trace Evasion Activity severity high, 2 events, 14 indicators, 0 exclusions
EventLog EVTX File Deleted severity medium, 2 events, 2 indicators, 0 exclusions
Exchange PowerShell Cmdlet History Deleted severity high, 2 events, 2 indicators, 0 exclusions
Filter Driver Unloaded Via Fltmc.EXE severity medium, 1 event, 10 indicators, 0 exclusions
Fsutil Suspicious Invocation severity high, 1 event, 5 indicators, 0 exclusions
IIS WebServer Access Logs Deleted severity medium, 2 events, 2 indicators, 0 exclusions
IIS WebServer Log Deletion via CommandLine Utilities severity medium, 1 event, 14 indicators, 0 exclusions
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE severity medium, 1 event, 7 indicators, 0 exclusions
PowerShell Console History Logs Deleted severity medium, 2 events, 1 indicator, 0 exclusions
Shadow Copies Deletion Using Operating Systems Utilities severity high, 1 event, 20 indicators, 0 exclusions
Sysmon Driver Unloaded Via Fltmc.EXE severity high, 1 event, 4 indicators, 0 exclusions
Terminal Server Client Connection History Cleared - Registry severity high, 1 event, 4 indicators, 0 exclusions
Tomcat WebServer Logs Deleted severity medium, 2 events, 5 indicators, 0 exclusions

Elastic 3 rules

Potential Timestomp in Executable Files 1 event, 14 indicators, 4 exclusions
Sensitive Audit Policy Sub-Category Disabled 1 event, 9 indicators, 0 exclusions
Windows Event Logs Cleared 2 events, 4 indicators, 0 exclusions

Splunk 1 rule

Process Deleting Its Process File Path 1 event, 5 indicators, 0 exclusions

Kusto Query Language 4 rules

Clearing of forensic evidence from event logs using wevtutil 3 events, 3 indicators, 0 exclusions
NRT Security Event log cleared 1 event, 2 indicators, 0 exclusions
Qakbot Campaign Self Deletion 3 events, 5 indicators, 0 exclusions
Security Event log cleared 1 event, 0 indicators, 0 exclusions

Indicator Removal T1070