Applied Cybernetics Group
T1070 — Indicator Removal
- Technique
T1070- Tactics
- Stealth
- MISP citations
- 0
- KEV CVEs mapped
- 3
- Community rules
- 20
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1070
MITRE description
Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior. Artifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion. These actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Kubernetes Events Deleted (core)
- SES Identity Has Been Deleted (core)
- Linux Package Uninstall (core)
- Remove Exported Mailbox from Exchange Webserver (core)
- EventLog EVTX File Deleted (core)
- Exchange PowerShell Cmdlet History Deleted (core)
- IIS WebServer Access Logs Deleted (core)
- PowerShell Console History Logs Deleted (core)
- Tomcat WebServer Logs Deleted (core)
- DLL Load By System Process From Suspicious Locations (core)
- Clearing Windows Console History (core)
- Disable of ETW Trace - Powershell (core)
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE (core)
- Sysmon Driver Unloaded Via Fltmc.EXE (core)
- Filter Driver Unloaded Via Fltmc.EXE (core)
- Fsutil Suspicious Invocation (core)
- IIS WebServer Log Deletion via CommandLine Utilities (core)
- ETW Trace Evasion Activity (core)
- Shadow Copies Deletion Using Operating Systems Utilities (core)
- Terminal Server Client Connection History Cleared - Registry (core)