Indicator Removal T1070

Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.

Events covered

21 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 87 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (42 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine31contains 25, match 3, regex_match 3, ends_with 1, in 1 -n , del, (?i)\s(execcmd|runinteractive(cmd)?|savescreenshot(full|w..., /q, cl
Image20ends_with 17, eq 3, starts_with 2\cmd.exe, \fltmc.exe, \powershell.exe, :\windows\system32\svchost.exe, \\cmd.exe
OriginalFileName20eq 19, in 3cmd.exe, powershell.exe, powershell_ise.exe, pwsh.dll, fltmc.exe
TargetFilename18ends_with 11, contains 6, starts_with 3, wildcard 3, in 1.log, :zone.identifier, *\\terminal server client\\cache\\*.bmc, *\\terminal server client\\cache\\cache*.bin, .aaa
EventID15eq 12, in 323, 4104, 1102, 26, 4103
process_name15eq 12, match 2, ends_with 1powershell.exe, fsutil.exe, (?i)nircmd\.exe, cmd.exe, powershell_ise.exe
ScriptBlockText13contains 13, ends_with 1, match 1(get-psreadlineoption).historysavepath, -adjust, -date, -historysavestyle, .creationtime =
event.type7eq 7start, deletion
TargetObject5ends_with 3, contains 2, wildcard 1*\software\remcos-*\licence, *\software\rmc-??????\licence, *\windows\currentversion\run\remcos, \autoshareserver, \autosharewks
EventData4contains 4-adjust, -date, -encodedcommand, clear-eventlog, clearlog
Payload4contains 4(get-psreadlineoption).historysavepath, -adjust, -date, -historysavestyle, clear-eventlog
process.args4eq 4, contains 1, starts_with 1, wildcard 1*Remove-Item*, *]::Delete(*, *del *, /e:false, /success:disable
EventType3eq 2, in 1DeleteKey, DeleteValue, Log clear, audit-log-cleared, deleted
Category2eq 2Microsoft-Windows-Eventlog
Provider_Name2eq 2Microsoft-Windows-Backup, Microsoft-Windows-Sysmon

Top indicator values (385 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
OriginalFileNameeq
cmd.exe
765
OriginalFileNameeq
powershell.exe
3121
Imageends_with
\cmd.exe
5134
event.typeeq
start
5241
CommandLinecontains
del
45
CommandLinecontains
cl
33
CommandLinecontains
erase
33
CommandLinecontains
-n
25
CommandLinecontains
del
23
CommandLinecontains
/q
28
CommandLinecontains
/s
28
CommandLinecontains
clear-log
22
CommandLinecontains
delete
222
CommandLinecontains
deletejournal
22
CommandLinecontains
ping
27
CommandLinecontains
rmdir
23
EventIDeq
4104
4268
EventIDeq
1102
34
EventIDeq
4103
3105
process_nameeq
powershell.exe
499
process_nameeq
fsutil.exe
37
process_nameeq
powershell_ise.exe
350
process_nameeq
pwsh.exe
360
EventIDin
23
36
EventIDin
26
36
OriginalFileNamein
powershell.exe
317
OriginalFileNamein
powershell_ise.exe
39
OriginalFileNamein
pwsh.dll
310
ScriptBlockTextcontains
remove-item
33
Categoryeq
Microsoft-Windows-Eventlog
22

Exclusions (80 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLineends_with
unload DFMFilter
1
CommandLineends_with
unload rtp_filesystem_filter
1
CommandLineends_with
unload rtp_filter
1
CreationUtcTimestarts_with
202
1
Esql.winlog_AuditPolicyChangesDescription_valuescontains
success added
1
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
Imageends_with
:\windows\system32\svchost.exe
1
Imageends_with
\sihclient.exe
1
Imageends_with
\svchost.exe
1
Imageends_with
\tiworker.exe
1
Imageends_with
\vcredi~1.exe
1
Imageeq
?:\windows\system32\spoolsv.exe
1
Imageeq
c:\program files (x86)\google\chrome\application\chrome.exe
1
Imageeq
c:\program files (x86)\microsoft\edge\application\msedge.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 50 rules

Elastic 10 rules

Splunk 21 rules

Kusto 5 rules

YARA-L 1 rule