T1070: Indicator Removal

Data from MITRE ATT&CK®:

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Encrypt Sensitive Information

Protect sensitive information with strong encryption.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Remote Data Storage

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

File Deletion (File)

Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)

Firewall Rule Modification (Firewall)

Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)

File Metadata (File)

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

Application Log Content (Application Log)

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

User Account Deletion (User Account)

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

User Account Authentication (User Account)

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Network Traffic Content (Network Traffic)

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Windows Registry Key Deletion (Windows Registry)

Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)

Scheduled Job Modification (Scheduled Job)

Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)

OS API Execution (Process)

Operating system function/method calls executed by a process

Windows Registry Key Modification (Windows Registry)

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

File Modification (File)

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

Indicator Removal using FSUtil

windows

Indicator Manipulation using FSUtil

windows

Disable of ETW Trace

windows process creation

Shadow Copies Deletion Using Operating Systems Utilities

windows process creation

SES Identity Has Been Deleted

aws

Remove Exported Mailbox from Exchange Webserver

windows

Clearing Windows Console History

windows ps script

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE

windows process creation

Terminal Server Client Connection History Cleared - Registry

windows registry delete

IIS WebServer Access Logs Deleted

windows file delete

Kubernetes Events Deleted

kubernetes application

Disable of ETW Trace - Powershell

windows ps script

DLL Load By System Process From Suspicious Locations

windows image load

Sysmon Driver Unloaded Via Fltmc.EXE

windows process creation

Tomcat WebServer Logs Deleted

windows file delete

Filter Driver Unloaded Via Fltmc.EXE

windows process creation

Linux Package Uninstall

linux process creation

EventLog EVTX File Deleted

windows file delete

PowerShell Console History Logs Deleted

windows file delete

Exchange PowerShell Cmdlet History Deleted

windows file delete

Fsutil Suspicious Invocation

windows process creation