analyst @ nohacky :~/mitre $
cat / mitre / t1070
analyst@nohacky:~/mitre/t1070-indicator-removal.html
reading mode 20 min read
technique_id T1070
category MITRE ATT&CK
tactic
Defense Evasion
sub-techniques 10
published March 2026

T1070: Indicator Removal

Adversaries delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Every action an attacker takes on a compromised system creates traces — log entries, dropped files, registry modifications, command histories, network connection records. T1070 encompasses the techniques attackers use to erase those traces, turning a detectable intrusion into an invisible one.

Indicator removal is the adversary's cleanup operation. It happens throughout an intrusion, not just at the end. Sophisticated attackers clear logs after each lateral movement hop, delete tools immediately after use, modify file timestamps to blend malicious files with legitimate ones, and remove persistence mechanisms once they are no longer needed. The goal is to deny defenders the forensic evidence they need to understand what happened, how it happened, and how far the compromise extends.

This technique falls under the Defense Evasion tactic because its primary purpose is to prevent detection. But its impact extends far beyond evasion: indicator removal degrades incident response by eliminating the breadcrumbs that forensic analysts follow to reconstruct an attack timeline. It undermines threat hunting by removing the anomalies that hunters look for. And it compromises legal proceedings by destroying evidence that would be needed for prosecution or regulatory reporting.

T1070 is one of the most broadly used techniques in the ATT&CK framework. MITRE documents it across virtually every category of threat actor — nation-state espionage groups, ransomware operators, financially motivated criminals, and hacktivists. The technique is universal because the need to avoid detection is universal. As defensive capabilities have improved, particularly with EDR, SIEM, and behavioral analytics, attackers have responded by investing more effort in anti-forensics. In 2026, defense evasion is not an afterthought — it is a core competency that determines whether an operation succeeds or fails.

How Indicator Removal Works

The artifacts that attackers target for removal fall into several categories. Log files are the primary target — Windows Event Logs, Linux syslog/journald, application logs, web server access logs, and firewall logs all record activities that can reveal an intrusion. Dropped files including malware executables, scripts, configuration files, and tools like Mimikatz leave filesystem evidence. Registry modifications and scheduled tasks used for persistence create entries that defenders can discover. Command histories in shells (PowerShell history, bash history) record the exact commands the attacker executed. Network artifacts including DNS cache entries, ARP tables, and connection records document the attacker's communication patterns.

The removal process varies by sophistication. Unsophisticated attackers run wevtutil cl Security to clear the entire Security event log — effective but immediately obvious because the log gap itself is a high-fidelity alert. More sophisticated attackers selectively delete individual log entries that correspond to their activities while leaving the rest of the log intact, making the removal far harder to detect. The most advanced operators avoid creating artifacts in the first place by operating entirely in memory, using legitimate tools, and routing traffic through channels that blend with normal operations.

Sub-Techniques

T1070 has ten sub-techniques, each targeting a specific category of forensic artifact. Understanding which artifacts are being removed guides the defensive response.

T1070.001 — Clear Windows Event Logs

Windows Event Logs are the single most important forensic data source on Windows systems. The Security log records authentication events, the System log records service and driver activity, and application-specific logs record events from individual programs. Attackers clear these logs using built-in utilities: wevtutil cl Security, wevtutil cl System, or PowerShell's Clear-EventLog cmdlet. Ransomware operations routinely clear event logs as part of their pre-encryption preparation — LockBit, Qilin, RansomHub, and the Gentlemen ransomware group all include log clearing in their execution chains. The clearing itself generates Event ID 1102 (audit log was cleared) in the Security log and Event ID 104 in the System log, but if the attacker clears all logs simultaneously, even these events may be lost before they can be forwarded to a SIEM.

T1070.002 — Clear Linux or Mac System Logs

On Linux systems, attackers target /var/log/auth.log, /var/log/syslog, /var/log/secure, and journal files managed by systemd-journald. Common techniques include truncating log files (echo "" > /var/log/auth.log), using shred to overwrite and delete files, or using specialized tools like logcleaner that selectively remove entries matching specific criteria. On ESXi hosts — which are heavily targeted by ransomware — attackers clear /var/log/vmkernel.log and other hypervisor logs to hide evidence of their access to virtual machine infrastructure.

T1070.003 — Clear Command History

Shell command histories record every command an attacker types. On Linux and macOS, ~/.bash_history and ~/.zsh_history preserve a complete record. On Windows, PowerShell records command history in ConsoleHost_history.txt. Attackers clear these with commands like history -c, unset HISTFILE, Set-PSReadlineOption -HistorySaveStyle SaveNothing, or by directly deleting the history files. Volt Typhoon has been documented targeting PowerShell event logs specifically, performing targeted queries on Windows event logs to extract security data into .dat files before clearing the logs to conceal their reconnaissance activities.

T1070.004 — File Deletion

The most straightforward sub-technique: after using a tool, the attacker deletes it. Malware droppers remove themselves after deploying their payload. Post-exploitation tools like Mimikatz, PsExec, and Impacket scripts are deleted after credential harvesting or lateral movement. Attackers use standard deletion (del, rm), secure deletion (sdelete, shred), or NTFS alternate data streams for self-deletion that leaves behind no remnant. BlackSuit ransomware operators have been documented wiping forensic traces with CCleaner after completing their operations, ensuring that commonly recovered artifacts like browser data, recent file lists, and temporary files are all removed.

T1070.005 — Network Share Connection Removal

After accessing remote systems via SMB shares (T1021.002), attackers remove evidence of the network connections. The net use /delete command removes mapped drives and connection records. This prevents forensic analysts from seeing which remote systems the attacker accessed and when, eliminating a key data source for reconstructing the lateral movement path.

T1070.006 — Timestomping

Timestomping modifies the creation, modification, access, and change timestamps on files to make malicious files appear as if they have existed on the system since before the intrusion. On Windows, the $STANDARD_INFORMATION attribute in the Master File Table (MFT) stores the timestamps displayed to users, while the $FILE_NAME attribute is handled by the kernel and is harder to modify. Forensic analysts can compare these two sets of timestamps to detect timestomping — a discrepancy between $SI and $FN timestamps is a strong indicator of tampering. Nation-state groups including APT32 (OceanLotus), APT28 (Fancy Bear), and Mustang Panda all use timestomping as a standard part of their operational tradecraft.

T1070.007 — Clear Network Connection History and Configurations

Attackers may clear cached network connection data such as DNS resolver cache (ipconfig /flushdns), ARP tables (arp -d *), and recent connection records to hide evidence of communication with command and control infrastructure or lateral movement targets.

T1070.008 — Clear Mailbox Data

After compromising email accounts for data collection or business email compromise operations, attackers may delete sent messages, drafts, or rules they created to hide evidence of their access. This is particularly relevant in Microsoft 365 and Exchange environments where mailbox audit logs and message traces can reveal the compromise.

T1070.009 — Clear Persistence

Once an attacker no longer needs a persistence mechanism — a scheduled task, a startup registry key, a service, or a cron job — they remove it to eliminate evidence of how they maintained access. The SUNBURST backdoor deployed in the SolarWinds campaign demonstrated this technique by removing the persistence mechanism after completing its mission, making it significantly harder for investigators to understand the full scope of the compromise. Mustang Panda's SplatCloak tool was designed specifically to remove traces of its own persistence after deploying subsequent payloads.

T1070.010 — Relocate Malware

Rather than deleting malware outright, attackers may move it from its initial execution location to a different directory to evade detection rules that monitor specific paths. The original location is cleaned up, and the malware continues operating from its new location. This technique defeats monitoring rules that look for suspicious files in common drop locations (temp directories, download folders, web roots) by relocating the file to a less-monitored path after initial execution.

critical

If your security logs only exist on the systems that generated them, indicator removal erases your entire forensic record. Centralized log collection to an immutable, attacker-inaccessible log store is the single most important defense against T1070. Without it, you are defending blind.

Real-World Case Studies

Volt Typhoon — Targeted Log Manipulation

Volt Typhoon's use of indicator removal is among the most disciplined documented by U.S. intelligence agencies. Rather than clearing logs wholesale (which would itself be detectable), Volt Typhoon actors perform targeted queries on Windows event logs using PowerShell, focusing on specific users and time periods. They extract the relevant security event data into .dat files for their own intelligence purposes, then selectively remove or modify the entries that document their activities. This approach preserves the overall integrity of the log so that administrators see a normal-looking event log, while the specific entries that would reveal the intrusion are gone. CISA notes that in certain instances, Volt Typhoon actors also rotated or deleted logs on systems where their commands were recorded, and that they avoided using compromised credentials outside normal business hours to minimize the anomalous entries that would need to be cleaned up.

SolarWinds / SUNBURST — Persistence Cleanup and Self-Deletion

The SUNBURST backdoor, deployed through a compromised SolarWinds Orion update in what became one of the most consequential supply chain attacks in history, demonstrated sophisticated indicator removal across multiple sub-techniques. The malware included a dormancy period of up to two weeks before activating, during which it performed extensive environment checks to avoid executing in analysis environments. After completing its mission on a target system, SUNBURST removed its persistence mechanisms (T1070.009) and cleaned up its own files (T1070.004), making it extremely difficult for investigators to determine the full scope of compromise. The cleanup was so thorough that many organizations only discovered they had been compromised through external notification rather than internal detection.

Ransomware Operations — Systematic Pre-Encryption Cleanup

Modern ransomware operations include indicator removal as a standard phase of their attack chain. Before deploying the encryption payload, operators systematically clear event logs to hide their lateral movement and credential harvesting activities, delete their tools and scripts, remove volume shadow copies (which serves both T1070 and T1490), and disable security monitoring through EDR tampering or BYOVD (bring-your-own-vulnerable-driver) attacks. The Gentlemen ransomware group, which emerged in mid-2025, demonstrates the current state of the art: it deletes shadow copies, clears event logs, disables security monitoring through in-memory patching, terminates backup services, and uses NTFS alternate data streams for self-deletion — leaving behind only encrypted files and ransom notes with minimal forensic evidence of how the attack was executed.

lesson

BYOVD (bring-your-own-vulnerable-driver) is now the most frequently used technique for defense impairment in ransomware operations. Attackers deploy a signed but vulnerable kernel driver, exploit it to gain kernel-level privileges, and use those privileges to terminate EDR and AV processes. This is T1562 (Impair Defenses) working in concert with T1070 — first disable the systems that generate indicators, then clean up whatever traces remain.

APT32 / OceanLotus — Timestomping as Standard Practice

APT32, a Vietnamese threat group, uses timestomping (T1070.006) as a routine part of every operation. After deploying tools and backdoors on compromised systems, the group modifies file timestamps to match the creation dates of legitimate files in the same directory. This defeats simple forensic triage that looks for recently created files, forcing analysts to use deeper MFT analysis (comparing $STANDARD_INFORMATION and $FILE_NAME timestamps) to identify tampered files. APT32's consistent use of this technique across years of operations demonstrates that timestomping is not an advanced technique reserved for special operations — it is a standard defensive measure built into the group's operational playbook.

Detection Strategies

Detecting indicator removal requires a paradoxical approach: you are looking for evidence of evidence being destroyed. The most reliable detections focus on the removal actions themselves rather than the removed artifacts, because once the artifacts are gone, they are gone.

Key Event IDs and Data Sources

Event ID Source What It Captures Detection Value
1102 Security The audit log was cleared Highest-priority alert; should never occur outside of planned maintenance windows with change management approval
104 System An event log was cleared Captures which log was cleared and by which account; correlate with 1102 for full picture
4688 Security Process creation (with command line) Detect wevtutil, Clear-EventLog, fsutil, cipher, sdelete, and other cleanup tools executing
1 Sysmon Process creation with hash and parent Higher fidelity than 4688; captures parent-child relationships that reveal cleanup scripts orchestrating multiple deletion commands
23 Sysmon File delete (archived) Captures deleted file content when configured with ArchiveDirectory; provides the actual deleted artifact for analysis
26 Sysmon File delete logged Logs file deletions without archiving; lower storage overhead, still provides detection of cleanup activity
7045 System New service installed BYOVD attacks install vulnerable drivers as services; correlate with subsequent EDR process termination

Splunk Detection Queries

# Detect Windows Event Log clearing
# High-fidelity alert — log clearing should be extremely rare
# and always correlated with change management

index=wineventlog (EventCode=1102 OR EventCode=104)
| eval action=case(EventCode=1102, "Security audit log cleared", EventCode=104, "Event log cleared: " + LogName)
| table _time, Computer, Account_Name, action
| sort -_time
# Detect anti-forensics tool execution
# Flags wevtutil, fsutil usn, cipher /w, sdelete, shred,
# and PowerShell log clearing commands

index=wineventlog sourcetype="XmlWinEventLog:Sysmon" EventCode=1
| where match(CommandLine, "(?i)(wevtutil\s+(cl|clear-log)|Clear-EventLog|Remove-EventLog|fsutil\s+usn\s+deletejournal|cipher\s+/w|sdelete|vssadmin\s+delete\s+shadows|wmic\s+shadowcopy\s+delete)")
| table _time, Computer, User, ParentImage, Image, CommandLine
| sort -_time
# Detect timestomping via $SI / $FN timestamp discrepancy
# Requires MFT analysis — this query works with
# Sysmon file creation events and known-good baselines

index=wineventlog sourcetype="XmlWinEventLog:Sysmon" EventCode=11
| where match(TargetFilename, "(?i)(\\\\Windows\\\\|\\\\System32\\\\|\\\\ProgramData\\\\)")
| where CreationUtcTime != _time
| eval time_diff=abs(strptime(CreationUtcTime, "%Y-%m-%d %H:%M:%S") - _time)
| where time_diff > 86400
| table _time, Computer, Image, TargetFilename, CreationUtcTime
| sort -_time
# Detect log gaps — periods where expected events stop
# arriving from a system that was previously logging normally

index=wineventlog sourcetype="WinEventLog:Security"
| bucket _time span=1h
| stats count by _time, host
| eventstats avg(count) as avg_count by host
| where count < (avg_count * 0.1) AND avg_count > 10
| table _time, host, count, avg_count
| sort _time
detection principle

The absence of evidence is itself evidence. A system that was generating hundreds of events per hour and suddenly shows a gap, or a SIEM that stops receiving logs from a specific host, is a high-priority investigation trigger. Monitor log volume baselines per host and alert on unexpected drops — this catches both log clearing and the attacker disabling the logging service entirely.

Known Threat Actors

MITRE documents over 100 threat groups and malware families that use T1070 or its sub-techniques, making it one of the most widely adopted techniques in the framework. The following represent notable examples:

  • Volt Typhoon (China) — Targeted PowerShell event log queries and selective log manipulation on U.S. critical infrastructure; rotated and deleted logs to conceal nine-month-long lateral movement operations
  • APT29 / Cozy Bear (Russia) — SUNBURST backdoor included persistence cleanup and self-deletion as core functionality; UNC3524 maintained access to victim email environments for over 18 months using aggressive indicator removal
  • APT32 / OceanLotus (Vietnam) — Routine timestomping of deployed tools and backdoors across every documented campaign; file deletion of decoy documents and loaders after payload delivery
  • APT28 / Fancy Bear (Russia) — Timestomping, log clearing, and file deletion across espionage operations targeting government and military organizations
  • Mustang Panda (China) — SplatCloak tool designed to clear persistence artifacts; Hodur and Korplug variants include self-deletion capabilities after payload deployment
  • Sandworm (Russia) — Log clearing and file deletion as part of destructive operations against Ukrainian infrastructure; BlackEnergy and subsequent tools include anti-forensics modules
  • LockBit — Event log clearing as standard pre-encryption step; documented across LockBit 2.0 through 5.0 variants
  • BlackSuit / Royal — CCleaner deployment for forensic trace removal; comprehensive cleanup including browser data, recent file lists, and temporary files
  • Qilin — Event log clearing and security tool impairment as part of ransomware preparation; spear-phished MSP administrators to access customer environments downstream
  • Silk Typhoon (China) — Log clearing and indicator removal during IT supply chain targeting operations documented in early 2025

Defensive Recommendations

  1. Implement centralized, immutable log collection: Forward all security-relevant logs (Windows Event Logs, Linux auth/syslog, firewall logs, application logs) to a centralized SIEM or log management platform in near-real-time. The log store must be write-once or access-controlled so that an attacker who compromises an endpoint cannot reach back and delete the forwarded copies. This is the foundational control — without it, every other detection strategy for T1070 fails.
  2. Alert on Event ID 1102 and 104 with zero tolerance: Event log clearing should never occur on production systems outside of explicitly scheduled, change-managed maintenance windows. Treat every instance of 1102 (Security audit log cleared) and 104 (event log cleared) as a potential incident until proven otherwise. Automate the alert and ensure it reaches the SOC within minutes.
  3. Deploy Sysmon with file deletion logging: Configure Sysmon with Event IDs 23 (FileDelete with archive) and 26 (FileDeleteDetected) to capture file deletion activity. The archive configuration preserves deleted files for forensic analysis. Focus on deletions in sensitive directories: web roots, temp directories, user profiles, and system directories. This gives you a forensic copy of the attacker's tools even after they delete them.
  4. Monitor log volume baselines per host: Build SIEM analytics that track the expected volume of events from each host. Alert when a host's event volume drops below a threshold (e.g., 10% of its rolling average). A sudden drop in log volume from a system that was previously logging normally is a strong indicator that either logs are being cleared or the logging service has been disabled.
  5. Protect logging services from termination: Configure EDR to monitor and protect the Windows Event Log service, Sysmon service, and any SIEM forwarding agents. BYOVD attacks increasingly target these services for termination. Enable tamper protection on EDR agents and monitor for new kernel driver installations (Event ID 7045) that precede security tool termination.
  6. Retain MFT snapshots for timestomping detection: Periodically capture snapshots of the NTFS Master File Table on critical systems. Comparing $STANDARD_INFORMATION and $FILE_NAME timestamps during forensic investigations reveals timestomped files that would otherwise blend in with legitimate system files.
  7. Implement PowerShell Script Block Logging and Module Logging: Even if an attacker clears the PowerShell command history file, Script Block Logging (Event ID 4104) and Module Logging capture the content of executed scripts in the Windows Event Log. When combined with centralized log forwarding, this ensures PowerShell activity is preserved even if the attacker clears local logs afterward.
  8. Use honeypot log entries as tripwires: Insert synthetic log entries or canary files in locations that attackers would target for deletion. If a planted entry disappears or a canary file is modified, it provides a high-fidelity alert that someone is actively performing indicator removal on that system. This technique is effective because selective log clearing (the more sophisticated approach) requires the attacker to identify which entries belong to them — and planted entries are designed to look like legitimate forensic artifacts.

MITRE ATT&CK Mapping

Field Value
Technique IDT1070
Technique NameIndicator Removal
TacticDefense Evasion
PlatformsWindows, Linux, macOS, Containers, ESXi, Network Devices, Office Suite
Sub-TechniquesT1070.001 (Clear Windows Event Logs), .002 (Clear Linux/Mac Logs), .003 (Clear Command History), .004 (File Deletion), .005 (Network Share Connection Removal), .006 (Timestomping), .007 (Clear Network Connection History), .008 (Clear Mailbox Data), .009 (Clear Persistence), .010 (Relocate Malware)
Data SourcesCommand (Execution), File (Deletion, Modification), Process (Creation, OS API Execution), Windows Registry (Modification), User Account (Modification), Network Traffic (Content)
Defenses BypassedLog Analysis, Host Intrusion Prevention Systems, Anti-Virus, File Monitoring
MitigationsRemote Data Storage (centralized logging), Restrict File and Directory Permissions, Encrypt Sensitive Information
MITRE Referenceattack.mitre.org/techniques/T1070

Sources and References

  • MITRE ATT&CK — T1070 Indicator Removal: attack.mitre.org
  • MITRE ATT&CK — DET0518 Behavioral Detection of T1070 Sub-Techniques (October 2025): attack.mitre.org
  • CISA, NSA, FBI — PRC State-Sponsored Actors (Volt Typhoon) Compromise U.S. Critical Infrastructure (AA24-038A): cisa.gov
  • MSTIC — Solorigate / SUNBURST Second-Stage Activation Analysis: microsoft.com
  • Symantec — Reynolds Ransomware BYOVD Defense Evasion (February 2026): security.com
  • CYFIRMA — Weekly Intelligence Report: Gentlemen Ransomware Analysis (March 2026): cyfirma.com
  • Elastic — Detection Rule: Clearing Windows Event Logs: detection.fyi
— end of briefing