EXPLORE
Sign In
← Back to Explore
T1070

Indicator Removal

Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior. Artifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system...

ContainersESXiLinuxmacOSNetwork DevicesOffice SuiteWindows
62
Detections
4
Sources
4
Threat Actors

BY SOURCE

30elastic20sigma8splunk_escu4kql

PROCEDURES (32)

General Monitoring11 detections

Auto-extracted: 11 detections for general monitoring

Process Creation Monitoring10 detections

Auto-extracted: 10 detections for process creation monitoring

File Monitoring2 detections

Auto-extracted: 2 detections for file monitoring

Event Log2 detections

Auto-extracted: 2 detections for event log

Cloud2 detections

Auto-extracted: 2 detections for cloud

Powershell2 detections

Auto-extracted: 2 detections for powershell

Driver2 detections

Auto-extracted: 2 detections for driver

Cloud Monitoring2 detections

Auto-extracted: 2 detections for cloud monitoring

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Evasion2 detections

Auto-extracted: 2 detections for evasion

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Registry1 detections

Auto-extracted: 1 detections for registry

Event Log1 detections

Auto-extracted: 1 detections for event log

Cloud1 detections

Auto-extracted: 1 detections for cloud

Evasion1 detections

Auto-extracted: 1 detections for evasion

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Powershell1 detections

Auto-extracted: 1 detections for powershell

Event Log1 detections

Auto-extracted: 1 detections for event log

Container1 detections

Auto-extracted: 1 detections for container

Event Log1 detections

Auto-extracted: 1 detections for event log

THREAT ACTORS (4)

APT42APT5Lazarus GroupMustang Panda

DETECTIONS (62)

Attempt to Clear Kernel Ring Buffer
elastichigh
Attempt to Clear Logs via Journalctl
elasticmedium
AWS S3 Bucket Configuration Deletion
elasticlow
AWS S3 Bucket Expiration Lifecycle Configuration Added
elasticlow
Cisco ASA - Logging Message Suppression
splunk_escu
Clearing Windows Console History
elasticmedium
Clearing Windows Console History
sigmahigh
Clearing Windows Event Logs
elasticlow
Custom Detection Deletion
kql
Custom Detection Disabled
kql
Custom Detection Report for Microsoft Defender
kql
Delete Volume USN Journal with Fsutil
elasticlow
Disable of ETW Trace - Powershell
sigmahigh
Disable Windows Event and Security Logs Using Built-in Tools
elasticlow
DLL Load By System Process From Suspicious Locations
sigmamedium
ESXi Audit Tampering
splunk_escu
ESXI Timestomping using Touch Command
elasticmedium
ETW Trace Evasion Activity
sigmahigh
EventLog EVTX File Deleted
sigmamedium
Exchange PowerShell Cmdlet History Deleted
sigmahigh
File Creation in /var/log via Suspicious Process
elasticmedium
File Creation, Execution and Self-Deletion in Suspicious Directory
elastichigh
File Deletion via Shred
elasticmedium
Filter Driver Unloaded Via Fltmc.EXE
sigmamedium
Fsutil Suspicious Invocation
sigmahigh
Fsutil Zeroing File
splunk_escu
IIS WebServer Access Logs Deleted
sigmamedium
IIS WebServer Log Deletion via CommandLine Utilities
sigmamedium
Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
elastichigh
Kubernetes Events Deleted
elasticlow
Kubernetes Events Deleted
sigmamedium
Linux Indicator Removal Clear Cache
splunk_escu
Linux Package Uninstall
sigmalow
Linux User or Group Deletion
elasticlow
M365 Exchange MFA Notification Email Deleted or Moved
elasticlow
MacOS Log Removal
splunk_escu
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
sigmamedium
Potential REMCOS Trojan Execution
elastichigh
Potential Secure File Deletion via SDelete Utility
elasticlow
Potential Timestomp in Executable Files
elasticmedium
PowerShell Console History Logs Deleted
sigmamedium
Process Deleting Its Process File Path
splunk_escu
Remove Exported Mailbox from Exchange Webserver
sigmahigh
Sensitive Audit Policy Sub-Category Disabled
elasticmedium
SES Identity Has Been Deleted
sigmamedium
Shadow Copies Deletion Using Operating Systems Utilities
sigmahigh
Shell Command-Line History Deletion Detected via Defend for Containers
elastichigh
Shell History Clearing via Environment Variables
elastichigh
SSH Authorized Keys File Deletion
elasticlow
SSL Certificate Deletion
elasticlow
Suspicious Print Spooler File Deletion
elasticmedium
Sysmon Driver Unloaded Via Fltmc.EXE
sigmahigh
System Log File Deletion
elasticmedium
Tampering of Shell Command-Line History
elasticmedium
Terminal Server Client Connection History Cleared - Registry
sigmahigh
Timestomping using Touch Command
elasticmedium
Tomcat WebServer Logs Deleted
sigmamedium
USN Journal Deletion
splunk_escu
WebServer Access Logs Deleted
elasticmedium
Wevutil Clear Windows Event Logs
kql
Windows Event Logs Cleared
elasticlow
Windows Indicator Removal Via Rmdir
splunk_escu