Indicator Removal (T1070) is a MITRE ATT&CK technique in the Defense Evasion tactic. SOC analysts detect it by monitoring for SIEM, XDR events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary's actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings, images, or data contained in files, keys in the registry, credentials, or other relevant security artifacts created while the adversary is present. Indicator removal includes techniques such as clearing Windows Event Logs, deleting security logs from network devices, removing Prefetch files, clearing bash history, modifying file timestamps, and deleting temporary files created during attack execution. The goal is to reduce forensic evidence available to incident responders and to prevent security monitoring systems from triggering alerts based on artifacts left behind during the intrusion.
“Indicator Removal is documented as technique T1070 in the MITRE ATT&CK knowledge base under the Defense Evasion tactic. Detection requires visibility into SIEM, XDR telemetry.”
The following detection strategies help SOC analysts identify Indicator Removal activity. These methods apply across SIEM, XDR environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for Windows Event Log clearing events including Event ID 1102 (Security log cleared) and 1100 (Event logging service shutdown), as legitimate administrators rarely need to clear security logs during normal operations.
Alert on processes accessing and modifying or deleting files in Windows Event Log directories, Prefetch directories, and other forensic artifact storage locations outside of normal administrative tools.
Detect execution of commands designed to clear bash history on Unix systems including history -c, unset HISTFILE, and modification of .bash_history files, particularly on servers accessed by multiple users.
Monitor for timestomping activity using filesystem audit logs and file integrity monitoring, alerting on file modification times that predate the file system or that match known malware activity patterns.
Correlate gaps in log data with other security events to identify periods where logging may have been disabled or logs deleted, using log volume baselines to detect unexplained reductions in log generation rates.
These realistic alert examples show what Indicator Removal looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Event ID 1102 recorded on domain controller DC-01: Security audit log was cleared. The log clearing was performed by account DA_temp which was created 48 hours prior during a suspected compromise. Log entries prior to this clearance are no longer available, hampering forensic investigation of the intrusion timeline and eliminating evidence of lateral movement activity.
Script execution detected targeting deletion of multiple forensic artifact types simultaneously: clearing Prefetch files, deleting Windows Event Logs via wevtutil.exe, clearing Recent Files history, and deleting temporary files from attack staging directories. This coordinated cleanup activity strongly suggests a deliberate anti-forensic operation by a threat actor with knowledge of digital forensics.
Auditd detected execution of history -c followed by export HISTFILE=/dev/null on production server APP-PROD-07 by the root account. These commands clear the current bash session history and prevent future commands from being recorded. This activity occurred 15 minutes after an SSH login from an unusual IP address that has not previously accessed this server.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Indicator Removal. Build detection skills with zero consequences — free forever.
A false positive is a security alert that fires on legitimate, benign activity, incorrectly classifying safe behavior as…
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossaryLog management is the process of collecting, normalizing, storing, retaining, and analyzing log data from across the IT …
Read more Career PathDetection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more