EXPLORE
Sign In
← Back to Explore
T1070

Indicator Removal

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command...

ContainersESXiLinuxmacOSNetwork DevicesOffice SuiteWindows
56
Detections
3
Sources
4
Threat Actors

BY SOURCE

29elastic20sigma7splunk_escu

PROCEDURES (29)

Process Creation Monitoring10 detections

Auto-extracted: 10 detections for process creation monitoring

General Monitoring9 detections

Auto-extracted: 9 detections for general monitoring

File Monitoring3 detections

Auto-extracted: 3 detections for file monitoring

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Registry2 detections

Auto-extracted: 2 detections for registry

Powershell2 detections

Auto-extracted: 2 detections for powershell

Driver2 detections

Auto-extracted: 2 detections for driver

Event Log2 detections

Auto-extracted: 2 detections for event log

Tamper2 detections

Auto-extracted: 2 detections for tamper

Kernel2 detections

Auto-extracted: 2 detections for kernel

Service1 detections

Auto-extracted: 1 detections for service

Container1 detections

Auto-extracted: 1 detections for container

Evasion1 detections

Auto-extracted: 1 detections for evasion

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

Unusual1 detections

Auto-extracted: 1 detections for unusual

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Persist1 detections

Auto-extracted: 1 detections for persist

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Evasion1 detections

Auto-extracted: 1 detections for evasion

Event Log1 detections

Auto-extracted: 1 detections for event log

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

THREAT ACTORS (4)

APT42APT5Lazarus GroupMustang Panda

DETECTIONS (56)

Attempt to Clear Kernel Ring Buffer
elastichigh
Attempt to Clear Logs via Journalctl
elasticmedium
AWS S3 Bucket Configuration Deletion
elasticlow
AWS S3 Bucket Expiration Lifecycle Configuration Added
elasticlow
Cisco ASA - Logging Message Suppression
splunk_escu
Clearing Windows Console History
elasticmedium
Clearing Windows Console History
sigmahigh
Clearing Windows Event Logs
elasticlow
Delete Volume USN Journal with Fsutil
elasticlow
Disable of ETW Trace - Powershell
sigmahigh
Disable Windows Event and Security Logs Using Built-in Tools
elasticlow
DLL Load By System Process From Suspicious Locations
sigmamedium
ESXi Audit Tampering
splunk_escu
ESXI Timestomping using Touch Command
elasticmedium
ETW Trace Evasion Activity
sigmahigh
EventLog EVTX File Deleted
sigmamedium
Exchange PowerShell Cmdlet History Deleted
sigmahigh
File Creation in /var/log via Suspicious Process
elasticmedium
File Creation, Execution and Self-Deletion in Suspicious Directory
elastichigh
File Deletion via Shred
elasticmedium
Filter Driver Unloaded Via Fltmc.EXE
sigmamedium
Fsutil Suspicious Invocation
sigmahigh
Fsutil Zeroing File
splunk_escu
IIS WebServer Access Logs Deleted
sigmamedium
IIS WebServer Log Deletion via CommandLine Utilities
sigmamedium
Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
elastichigh
Kubernetes Events Deleted
sigmamedium
Kubernetes Events Deleted
elasticlow
Linux Indicator Removal Clear Cache
splunk_escu
Linux Package Uninstall
sigmalow
Linux User or Group Deletion
elasticlow
M365 Exchange MFA Notification Email Deleted or Moved
elasticlow
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
sigmamedium
Potential REMCOS Trojan Execution
elastichigh
Potential Secure File Deletion via SDelete Utility
elasticlow
Potential Timestomp in Executable Files
elasticmedium
PowerShell Console History Logs Deleted
sigmamedium
Process Deleting Its Process File Path
splunk_escu
Remove Exported Mailbox from Exchange Webserver
sigmahigh
Sensitive Audit Policy Sub-Category Disabled
elasticmedium
SES Identity Has Been Deleted
sigmamedium
Shadow Copies Deletion Using Operating Systems Utilities
sigmahigh
Shell Command-Line History Deletion Detected via Defend for Containers
elastichigh
SSH Authorized Keys File Deletion
elasticlow
SSL Certificate Deletion
elasticlow
Suspicious Print Spooler File Deletion
elasticmedium
Sysmon Driver Unloaded Via Fltmc.EXE
sigmahigh
System Log File Deletion
elasticmedium
Tampering of Shell Command-Line History
elasticmedium
Terminal Server Client Connection History Cleared - Registry
sigmahigh
Timestomping using Touch Command
elasticmedium
Tomcat WebServer Logs Deleted
sigmamedium
USN Journal Deletion
splunk_escu
WebServer Access Logs Deleted
elasticmedium
Windows Event Logs Cleared
elasticlow
Windows Indicator Removal Via Rmdir
splunk_escu