Description
Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.
Artifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.
These actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.
Platforms
Sub-Techniques (8)
Clear Command History
T1070.004File Deletion
T1070.005Network Share Connection Removal
T1070.006Timestomp
T1070.007Clear Network Connection History and Configurations
T1070.008Clear Mailbox Data
T1070.009Clear Persistence
T1070.010Relocate Malware
Mitigations (3)
Encrypt Sensitive InformationM1041
Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
Remote Data StorageM1029
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
Restrict File and Directory PermissionsM1022
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has cleared Chrome browser history.(Citation: Mandiant APT42-untangling) |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has deleted registry keys that store data and maintained persistence.(Citation: Eset PlugX Korp... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has used the THINBLOOD utility to clear SSL VPN log files located at `/home/runtime/logs`.(Citation: Man... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has restored malicious [KernelCallbackTable](https://attack.mitre.org/techniques/T1574/013) cod... |
Associated Software (27)
| ID | Name | Type | Context |
|---|---|---|---|
| S1132 | IPsec Helper | Malware | [IPsec Helper](https://attack.mitre.org/software/S1132) can delete various registry keys related to its execution and use.(Citation: SentinelOne Agriu... |
| S0695 | Donut | Tool | [Donut](https://attack.mitre.org/software/S0695) can erase file references to payloads in-memory after being reflectively loaded and executed.(Citatio... |
| S0461 | SDBbot | Malware | [SDBbot](https://attack.mitre.org/software/S0461) has the ability to clean up and remove data structures from a compromised host.(Citation: Proofpoint... |
| S1161 | BPFDoor | Malware | [BPFDoor](https://attack.mitre.org/software/S1161) clears the file location `/proc/<PID>/environ` removing all environment variables for the process.(... |
| S0596 | ShadowPad | Malware | [ShadowPad](https://attack.mitre.org/software/S0596) has deleted arbitrary Registry values.(Citation: Kaspersky ShadowPad Aug 2017) |
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) has removed the watermark associated with enabling the <code>TESTSIGNING</code> boot configurat... |
| S0568 | EVILNUM | Malware | [EVILNUM](https://attack.mitre.org/software/S0568) has a function called "DeleteLeftovers" to remove certain artifacts of the attack.(Citation: Prevai... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can remove artifacts from the compromised host, including created Registry keys.(Citation: Gi... |
| S1135 | MultiLayer Wiper | Malware | [MultiLayer Wiper](https://attack.mitre.org/software/S1135) uses a batch script to clear file system cache memory via the <code>ProcessIdleTasks</code... |
| S0229 | Orz | Malware | [Orz](https://attack.mitre.org/software/S0229) can overwrite Registry settings to reduce its visibility on the victim.(Citation: Proofpoint Leviathan ... |
| S1159 | DUSTTRAP | Malware | [DUSTTRAP](https://attack.mitre.org/software/S1159) restores the `.text` section of compromised DLLs after malicious code is loaded into memory and be... |
| S0697 | HermeticWiper | Malware | [HermeticWiper](https://attack.mitre.org/software/S0697) can disable pop-up information about folders and desktop items and delete Registry keys to hi... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has a command to delete a Registry key it uses, <code>\Software\Microsoft\Internet Explorer\notes... |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) can delete OLE Automation and SQL stored procedures used to store malicious payloads.(Citation: Nic... |
| S0448 | Rising Sun | Malware | [Rising Sun](https://attack.mitre.org/software/S0448) can clear a memory blog in the process by overwriting it with junk bytes.(Citation: McAfee Sharp... |
| S0332 | Remcos | Tool | [Remcos](https://attack.mitre.org/software/S0332) can clean saved cookies and logins from the web browser.(Citation: Fortinet Remcos Campaign NOV 2024... |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) has the ability to clean traces of malware deployment.(Citation: Bitdefender FunnyDream Campaign... |
| S1085 | Sardonic | Malware | [Sardonic](https://attack.mitre.org/software/S1085) has the ability to delete created WMI objects to evade detections.(Citation: Bitdefender Sardonic ... |
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes,... |
| S0589 | Sibot | Malware | [Sibot](https://attack.mitre.org/software/S0589) will delete an associated registry key if a certain server response is received.(Citation: MSTIC NOBE... |
Frequently Asked Questions
What is T1070 (Indicator Removal)?
T1070 is a MITRE ATT&CK technique named 'Indicator Removal'. It belongs to the Stealth tactic(s). Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may t...
How can T1070 be detected?
Detection of T1070 (Indicator Removal) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1070?
There are 3 documented mitigations for T1070. Key mitigations include: Encrypt Sensitive Information, Remote Data Storage, Restrict File and Directory Permissions.
Which threat groups use T1070?
Known threat groups using T1070 include: APT42, Mustang Panda, APT5, Lazarus Group.