Home/ATT&CK Technique/Indicator Removal
ATT&CK Technique

Indicator Removal

T1070 · stealth

Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior. Artifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity.

Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion. These actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.

ContainersESXiLinuxmacOSNetwork DevicesOffice SuiteWindows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
franceAnimal Farm
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT28
russiaAPT29
chinaAPT31
iranAPT33
iranOilRig

Atomic Tests

2
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptelevatedwindowsIndicator Removal using FSUtil
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn 
fsutil usn deletejournal /D C:
powershellwindowsIndicator Manipulation using FSUtil
Finds a file by user name (if Disk Quotas are enabled), queries allocated ranges for a file, sets a file's short name, sets a file's valid data length, sets zero data for a file, or creates a new file. Upon execution, no output will be displayed. More information about fsutil can be found at https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-file - https://tria.ge/230601-x8x6bsgb24/behavioral2 
if (-not (Test-Path "#{file_to_manipulate}")) { New-Item "#{file_to_manipulate}" -Force } 
echo "1234567890" > "#{file_to_manipulate}"
fsutil  file setZeroData offset=0 length=#{file_data_length} "#{file_to_manipulate}"

Mitigations

3
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1022Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions
  • Remove unnecessary write permissions on sensitive files and directories.
  • Use file ownership and groups to control access for specific roles. Example (Windows): Right-click the shared folder.
  • Properties.
  • Security tab.
  • Adjust permissions for NTFS ACLs.
Harden File Shares
  • Disable anonymous access to shared folders.
  • Enforce NTFS permissions for shared folders on Windows. Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access. On Linux, apply: chmod 750 /etc/sensitive.conf `chown root:admin /etc/sensitive.
conf` File Integrity Monitoring (FIM)
  • Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.
Audit File System Access
  • Enable auditing to track permission changes or unauthorized access attempts.
  • Use auditd (Linux) or Event Viewer (Windows) to log activities.
Restrict Startup Directories
  • Configure permissions to prevent unauthorized writes to directories like C:\ProgramData\Microsoft\Windows\Start Menu. Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.
  • On Windows, use icacls to modify permissions: icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F.
  • On Linux, monitor permissions using tools like lsattr or auditd.
M1029Remote Data Storage

Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data.

Centralized Log Management
  • Configure endpoints to forward security logs to a centralized log collector or SIEM.
  • Use tools like Splunk Graylog, or Security Onion to aggregate and store logs.
  • Example command (Linux): sudo auditd | tee /var/log/audit/audit.log | nc <remote-log-server> 514 Remote File Storage Solutions:.
  • Utilize cloud storage solutions like AWS S3, Google Cloud Storage, or Azure Blob Storage for sensitive data.
  • Ensure proper encryption at rest and access control policies (IAM roles, ACLs).
Intrusion Detection Log Forwarding
  • Forward logs from IDS/IPS systems (e.g., Zeek/Suricata) to a remote security information system.
Example for Suricata log forwarding: `outputs
  • type: syslog protocol: tls address: <remote-syslog-server>` Immutable Backup Configurations:.
  • Enable immutable storage settings for backups to prevent adversaries from modifying or deleting data.
  • Example: AWS S3 Object Lock.
Data Encryption
  • Ensure encryption for sensitive data using AES-256 at rest and TLS 1.2+ for data in transit. Tools: OpenSSL, BitLocker, LUKS for Linux.
M1041Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering.

Encrypt Data at Rest
  • Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
  • Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.
Encrypt Data in Transit
  • Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
  • Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.
Encrypt Backups
  • Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
  • Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.
Encrypt Application Secrets
  • Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
  • Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.
Database Encryption
  • Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
  • Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Detection Coverage

3/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 20
Analytics (MITRE CAR) 4
Runtime / container (Falco) 2
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

4
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2016-04-002Moderate coverageUser Activity from Clearing Event Logs

It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 1. This is often done using wevtutil, a legitimate tool provided by Microsoft.

This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. 2. Alerting when a Clear Event Log is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks.

Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk. 3. Attackers may set the option of the sources of events with Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite to not delete old Evenlog when the .evtx is full.

By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104. 4.

Attackers may delete .evtx with del C:\Windows\System32\winevt\logs\Security.evtx or Remove-Item C:\Windows\System32\winevt\logs\Security.evtx after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset. 5.

Attackers may use the powershell command Remove-EventLog -LogName Security to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog.

However logs generated between the command and the reboot are still available in the .evtx file.

pseudocode - PseudoCode for dedicated EventID EventLog deletion
([log_name] == "Security" and [event_code] in [1100, 1102, 1104]) or
([log_name] == "System" and [event_code] == 104)
LogPoint - LogPoint version of the above pseudocode.
norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="System" event_id=104))
Splunk - Splunk search - Detecting log clearing with wevtutil
index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 (Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog)
CAR-2020-11-005Low coverageClear Powershell Console Command History

Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself.

only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system.

Pseudocode - Pseudocode - clear or disable Powershell console history via commandline
processes = search Process:Create
clear_commands = filter processes where (
  command_line ="*rm (Get-PSReadlineOption).HistorySavePath*" OR command_line="*del (Get-PSReadlineOption).HistorySavePath*" OR command_line="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command_line="*Remove-Item (Get-PSReadlineOption).HistorySavePath*")  OR command_linee="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt")
output clear_commands
Splunk - Splunk Search - clear command history via Powershell
(index=__your_sysmon_index__ EventCode=1) (CommandLine="*rm (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*del (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR CommandLine="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="del*Microsoft\\Windows\\Powershell\\PSReadline\\ConsoleHost_history.txt")
LogPoint - LogPoint Search - clear command history via Powershell
norm_id=WindowsSysmon event_id=1 (command="*rm (Get-PSReadlineOption).HistorySavePath*" OR command="*del (Get-PSReadlineOption).HistorySavePath*" OR command="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR command="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt")
CAR-2020-11-007High coverageNetwork Share Connection Removal

Adversaries may use network shares to exfliltrate date.

they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.

Pseudocode - Pseudocode - network shares being removed via the command line
processes = search Process:Create
target_processes = filter processes where (
  (exe="C:\\Windows\\System32\\net.exe" AND command_line="*delete*") OR
  command_line="*Remove-SmbShare*" OR
  comman_line="*Remove-FileShare*" )
output target_processes
Splunk - Splunk Search - delete network shares
(index=__your_sysmon_index__ EventCode=1) ((Image="C:\\Windows\\System32\\net.exe" AND CommandLine="*delete*") OR CommandLine="*Remove-SmbShare*" OR CommandLine="*Remove-FileShare*")
LogPoint - LogPoint Search - delete network shares
norm_id=WindowsSysmon event_id=1 ((image="C:\Windows\System32\net.exe" command="*delete*") OR command="*Remove-SmbShare*" OR command="*Remove-FileShare*")
CAR-2021-01-003Low coverageClearing Windows Logs with Wevtutil

In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.

Splunk - Splunk search - Detecting log clearing with wevtutil
index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*)

Falco Runtime Rules

2
Container / Linux runtime detections that fire on this technique.
WARNINGClear Log Activities
Detect clearing of critical access log files, typically done to erase evidence that could be attributed to an adversary's actions. To effectively customize and operationalize this detection, check for potentially missing log file destinations relevant to your environment, and adjust the profiled containers you wish not to be alerted on.
view condition
open_write and access_log_files and evt.arg.flags contains "O_TRUNC" and not containerd_activities and not trusted_logging_images and not allowed_clear_log_files
WARNINGDelete or rename shell history
Detect shell history deletion, frequently used by unsophisticated adversaries to eliminate evidence. Note that it can also trigger when exiting a Terminal shell, such as with `kubectl exec`, which may introduce some noise.
view condition
(modify_shell_history or truncate_shell_history) and not var_lib_docker_filepath and not proc.name in (docker_binaries)

Caldera Emulation

4
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
defense-evasiondarwin, linux, windowsAvoid logs
> $HOME/.bash_history && unset HISTFILE
defense-evasionwindowsClear Logs
Clear-Eventlog Security;
Clear-Eventlog System;
defense-evasionwindows, darwin, linuxDeadman - Delete agent file
$startupClass = Get-CimClass -ClassName Win32_ProcessStartup;
$startupInfo = New-CimInstance -CimClass $startupClass -Property @{ShowWindow = 0} -ClientOnly;
$processClass = Get-CimClass -ClassName Win32_Process;
Invoke-CimMethod -CimClass $processClass -MethodName Create -Arguments @{
    Commandline = 'cmd.exe /c "timeout /nobreak /t 10 >nul 2>nul & del /f #{location}"';
    ProcessStartupInformation = [CimInstance]$startupInfo
};
defense-evasiondarwin, linux, windowsDelete payload

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, AC-16, AC-17, AC-18, CA-07, CM-02, CM-06, CP-06, CP-07, CP-09, SC-04, SC-36, SI-03, SI-04, SI-07, SI-12, SI-23
OWASPA09:2021
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin