T1070

Indicator Removal

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary's actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

Microsoft Sentinel / Defender

kusto

let RegistryCleanupPatterns = dynamic([
  "reg delete", "reg.exe delete",
  "Remove-ItemProperty", "Remove-Item.*HKLM", "Remove-Item.*HKCU",
  "RegDeleteKey", "RegDeleteValue"
]);
let FileCleanupPatterns = dynamic([
  "ProcessIdleTasks",
  "advapi32.dll",
  "DeleteLeftovers",
  "CleanupArtifacts"
]);
let SelfDeletionPatterns = dynamic([
  "cmd /c del", "cmd.exe /c del",
  "/c del \"", "ping -n 1",
  "del /f /q", "erase /f"
]);
// Registry deletion events
let RegDeletions = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyDeleted", "RegistryValueDeleted")
| where RegistryKey has_any (
    "\\Run\\", "\\RunOnce\\", "\\Services\\",
    "\\Scheduled Tasks", "\\AppInit_DLLs",
    "\\NetworkProvider\\Order",
    "\\Internet Explorer\\notes",
    "\\CurrentVersion\\Image File Execution",
    "\\TESTSIGNING", "\\user32.dll"
  )
| extend DetectionSource = "RegistryDeletion"
| project Timestamp, DeviceName, AccountName, ActionType,
          RegistryKey, RegistryValueName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionSource;
// Process-based cleanup commands
let ProcCleanup = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (RegistryCleanupPatterns)
    or ProcessCommandLine has_any (SelfDeletionPatterns)
    or (InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
        and ProcessCommandLine has "del" and ProcessCommandLine has ".exe")
| extend DetectionSource = "ProcessCleanupCommand"
| project Timestamp, DeviceName, AccountName,
          FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionSource;
// Combine results
union RegDeletions, ProcCleanup
| extend SuspicionFlags = pack_array(
    iff(DetectionSource == "RegistryDeletion", "registry_key_deleted", ""),
    iff(ProcessCommandLine has_any (SelfDeletionPatterns), "self_deletion_pattern", ""),
    iff(ProcessCommandLine has_any (RegistryCleanupPatterns), "registry_cleanup_cmd", ""),
    iff(ProcessCommandLine has "del" and ProcessCommandLine has ".exe", "executable_deletion", "")
  )
| project Timestamp, DeviceName, AccountName,
          DetectionSource, RegistryKey, RegistryValueName,
          FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          SuspicionFlags
| sort by Timestamp desc

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Deletion Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceProcessEvents

False Positives

Software uninstallers that legitimately remove their own registry run keys and service entries during clean uninstallation
IT management tools (SCCM, Intune, Group Policy) that delete temporary registry values as part of deployment or policy application
System cleanup utilities (CCleaner, Windows Disk Cleanup) that remove cached artifacts and registry entries as part of routine maintenance
Developers running build/clean scripts that delete test artifacts, temporary executables, and configuration entries
Self-updating software that deletes old version run keys before writing new ones during an update cycle

Splunk

spl

index=wineventlog
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
   OR sourcetype="WinEventLog:Security")
| eval is_reg_event=if(EventCode IN (12, 13, 14) AND sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", 1, 0)
| eval is_proc_event=if(EventCode=1 AND sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", 1, 0)
| eval is_sec_proc=if(EventCode=4688 AND sourcetype="WinEventLog:Security", 1, 0)
| where is_reg_event=1 OR is_proc_event=1 OR is_sec_proc=1
| eval CommandLine=coalesce(CommandLine, NewProcessName)
| eval RegistryPath=coalesce(TargetObject, ObjectName, "")
| eval EventType=case(
    is_reg_event=1 AND EventCode=12, "RegistryKeyDeleted",
    is_reg_event=1 AND EventCode=13, "RegistryValueSet",
    is_reg_event=1 AND EventCode=14, "RegistryKeyRenamed",
    is_proc_event=1 OR is_sec_proc=1, "ProcessCreation",
    true(), "Unknown"
  )
| eval RegCleanup=if(
    EventType="RegistryKeyDeleted" AND (
      match(RegistryPath, "(\\\\Run\\\\|\\\\RunOnce\\\\|\\\\Services\\\\|\\\\Scheduled Tasks|\\\\AppInit_DLLs|NetworkProvider\\\\Order|Internet Explorer\\\\notes|Image File Execution|TESTSIGNING)")
    ), 1, 0
  )
| eval SelfDeletion=if(
    EventType="ProcessCreation" AND match(lower(CommandLine), "(cmd(\.exe)?\s+/c\s+del|/c\s+del\s+\".+\.exe\"|del\s+/f|erase\s+/f)")
    AND match(lower(CommandLine), "\.exe"), 1, 0
  )
| eval RegDeleteCmd=if(
    EventType="ProcessCreation" AND match(lower(CommandLine), "(reg(\.exe)?\s+delete|remove-itemproperty|remove-item.+(hklm|hkcu))"), 1, 0
  )
| eval SuspicionScore=RegCleanup + SelfDeletion + RegDeleteCmd
| where SuspicionScore > 0
| eval DetectionReason=mvappend(
    if(RegCleanup=1, "registry_key_deletion_persistence_path", null()),
    if(SelfDeletion=1, "self_deletion_pattern", null()),
    if(RegDeleteCmd=1, "registry_delete_command", null())
  )
| table _time, host, User, EventType, Image, CommandLine, ParentImage, ParentCommandLine,
         RegistryPath, DetectionReason, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Deletion Process: Process Creation Sysmon Event ID 1 (Process Create) Sysmon Event ID 12 (Registry Key Create/Delete) Sysmon Event ID 13 (Registry Value Set) Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software uninstallers that legitimately remove their own registry run keys and service entries during clean uninstallation
IT management tools (SCCM, Intune, Group Policy) that delete temporary registry values as part of deployment or policy application
System cleanup utilities (CCleaner, Windows Disk Cleanup) that remove cached artifacts and registry entries as part of routine maintenance
Developers running build/clean scripts that delete test artifacts, temporary executables, and configuration entries
Self-updating software that deletes old version run keys before writing new ones during an update cycle

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(startTime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "RegistryPath" AS registry_path,
  "CommandLine" AS command_line,
  "Image" AS process_image,
  "ParentImage" AS parent_process,
  CATEGORYNAME(category) AS category_name,
  CASE
    WHEN "RegistryPath" LIKE '%\Run\%'
      OR "RegistryPath" LIKE '%\RunOnce\%'
      OR "RegistryPath" LIKE '%\Services\%'
      OR "RegistryPath" LIKE '%Scheduled Tasks%'
      OR "RegistryPath" LIKE '%AppInit_DLLs%'
      OR "RegistryPath" LIKE '%NetworkProvider\Order%'
      OR "RegistryPath" LIKE '%Image File Execution%'
      OR "RegistryPath" LIKE '%TESTSIGNING%'
    THEN 'registry_key_deletion_persistence'
    WHEN LOWER("CommandLine") LIKE '%reg delete%'
      OR LOWER("CommandLine") LIKE '%reg.exe delete%'
      OR LOWER("CommandLine") LIKE '%remove-itemproperty%'
      OR LOWER("CommandLine") LIKE '%remove-item%hklm%'
      OR LOWER("CommandLine") LIKE '%remove-item%hkcu%'
    THEN 'registry_delete_command'
    WHEN LOWER("CommandLine") LIKE '%cmd /c del%'
      OR LOWER("CommandLine") LIKE '%cmd.exe /c del%'
      OR LOWER("CommandLine") LIKE '%del /f%'
      OR LOWER("CommandLine") LIKE '%erase /f%'
    THEN 'self_deletion_pattern'
    ELSE 'indicator_removal_activity'
  END AS detection_reason,
  CASE
    WHEN "EventID" = '12' OR "EventID" = '14' THEN 'RegistryKeyDeleted'
    WHEN "EventID" = '1' OR "EventID" = '4688' THEN 'ProcessCreation'
    ELSE 'Other'
  END AS event_type
FROM events
WHERE
  startTime > NOW() - 86400000
  AND (
    (
      "EventID" IN ('12', '14')
      AND (
        "RegistryPath" LIKE '%\Run\%'
        OR "RegistryPath" LIKE '%\RunOnce\%'
        OR "RegistryPath" LIKE '%\Services\%'
        OR "RegistryPath" LIKE '%Scheduled Tasks%'
        OR "RegistryPath" LIKE '%AppInit_DLLs%'
        OR "RegistryPath" LIKE '%NetworkProvider\Order%'
        OR "RegistryPath" LIKE '%Image File Execution%'
        OR "RegistryPath" LIKE '%TESTSIGNING%'
      )
    )
    OR (
      "EventID" IN ('1', '4688')
      AND (
        LOWER("CommandLine") LIKE '%reg delete%'
        OR LOWER("CommandLine") LIKE '%reg.exe delete%'
        OR LOWER("CommandLine") LIKE '%remove-itemproperty%'
        OR LOWER("CommandLine") LIKE '%remove-item%hklm%'
        OR LOWER("CommandLine") LIKE '%remove-item%hkcu%'
        OR LOWER("CommandLine") LIKE '%cmd /c del%'
        OR LOWER("CommandLine") LIKE '%cmd.exe /c del%'
        OR LOWER("CommandLine") LIKE '%del /f%'
        OR LOWER("CommandLine") LIKE '%erase /f%'
      )
    )
  )
ORDER BY startTime DESC

high severity medium confidence

Data Sources

IBM QRadar DSM for Microsoft Windows Sysmon Universal DSM Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Software package managers and Windows Installer removing application-specific registry persistence entries during sanctioned uninstall operations
Group Policy and endpoint management platforms (SCCM, Intune) deleting or replacing registry configuration keys during policy enforcement cycles
Security hardening automation scripts executing reg delete commands to remove legacy or insecure registry entries per CIS or DISA STIG benchmarks

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security)
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<TargetObject>*</TargetObject>" as registry_path nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<Image>*</Image>" as process_image nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<User>*</User>" as user_name nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
| where event_id in ("12", "14", "1", "4688")
| eval is_reg_deletion = if(
    event_id in ("12", "14") and (
      registry_path matches "(?i).*\\\\(Run|RunOnce)\\\\.*" or
      registry_path matches "(?i).*\\\\Services\\\\.*" or
      registry_path matches "(?i).*Scheduled Tasks.*" or
      registry_path matches "(?i).*AppInit_DLLs.*" or
      registry_path matches "(?i).*NetworkProvider\\\\Order.*" or
      registry_path matches "(?i).*Internet Explorer\\\\notes.*" or
      registry_path matches "(?i).*Image File Execution.*" or
      registry_path matches "(?i).*TESTSIGNING.*"
    ), 1, 0
  )
| eval is_self_deletion = if(
    event_id in ("1", "4688") and
    command_line matches "(?i).*(cmd(\.exe)?\\s+/c\\s+del|/c\\s+del\\s+\".+\.exe\"|del\\s+/f|erase\\s+/f).*" and
    command_line matches "(?i).*\.exe.*",
    1, 0
  )
| eval is_reg_cmd = if(
    event_id in ("1", "4688") and
    command_line matches "(?i).*(reg(\.exe)?\\s+delete|remove-itemproperty|remove-item.+(hklm|hkcu)).*",
    1, 0
  )
| eval suspicion_score = is_reg_deletion + is_self_deletion + is_reg_cmd
| where suspicion_score > 0
| eval detection_reasons = concat(
    if(is_reg_deletion = 1, "registry_key_deletion_persistence; ", ""),
    if(is_self_deletion = 1, "self_deletion_pattern; ", ""),
    if(is_reg_cmd = 1, "registry_delete_command; ", "")
  )
| table _time, hostname, user_name, event_id, process_image, command_line, parent_image, registry_path, detection_reasons, suspicion_score
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon Operational Log via Sumo Logic collector Windows Security Event Log via Sumo Logic collector

Required Tables

windows/sysmon windows/security

False Positives

Application uninstallers removing their run key entries or service registrations from the registry as part of legitimate software removal workflows
Patch management systems that delete stale registry entries as part of pre-update cleanup before installing new software versions
Penetration testing or red team tools cleaning up their own artifacts after authorized testing exercises using standard Windows commands

Google Chronicle / SecOps

yaral

rule T1070_Indicator_Removal {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE T1070 Indicator Removal via registry key deletion at persistence paths or process-based cleanup commands including reg delete, Remove-ItemProperty, and self-deletion of executables."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "REGISTRY_DELETION" and
      (
        re.regex($e.target.registry.registry_key, `(?i)\\(Run|RunOnce)\\`) or
        re.regex($e.target.registry.registry_key, `(?i)\\Services\\`) or
        re.regex($e.target.registry.registry_key, `(?i)\\Scheduled Tasks`) or
        re.regex($e.target.registry.registry_key, `(?i)\\AppInit_DLLs`) or
        re.regex($e.target.registry.registry_key, `(?i)\\NetworkProvider\\Order`) or
        re.regex($e.target.registry.registry_key, `(?i)\\Image File Execution`) or
        re.regex($e.target.registry.registry_key, `(?i)TESTSIGNING`)
      )
    ) or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.command_line, `(?i)reg(\.exe)?\s+delete`) or
        re.regex($e.target.process.command_line, `(?i)Remove-ItemProperty`) or
        re.regex($e.target.process.command_line, `(?i)Remove-Item.+(HKLM|HKCU)`) or
        re.regex($e.target.process.command_line, `(?i)cmd(\.exe)?\s+/c\s+del\s+.*\.exe`) or
        re.regex($e.target.process.command_line, `(?i)del\s+/[fF]`) or
        re.regex($e.target.process.command_line, `(?i)erase\s+/[fF]`)
      )
    )

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_cmd = $e.target.process.command_line
    $registry_key = $e.target.registry.registry_key
    $parent_cmd = $e.principal.process.command_line
    $event_type = $e.metadata.event_type

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM Windows Event Log ingested via Chronicle Forwarder Sysmon logs via Chronicle Forwarder

Required Tables

UDM Events

False Positives

Enterprise software deployment platforms such as Intune or SCCM removing configuration or persistence registry keys during device compliance remediation cycles
IT support scripts using reg delete or Remove-Item to clean up stale application entries or disable legacy features during authorized troubleshooting
Application self-update mechanisms deleting older executable versions using del /f after replacing binaries with newer releases

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (RegistryOperationCreate, RegistryOperationDelete, ProcessRollup2, SyntheticProcessRollup2)
| case {
    #event_simpleName = "RegistryOperationDelete":
      reg_path := RegObjectName ;
    * :
      reg_path := ""
  }
| eval is_reg_deletion_target := if(
    #event_simpleName = "RegistryOperationDelete" AND (
      reg_path = /\\(Run|RunOnce)\\/i OR
      reg_path = /\\Services\\/i OR
      reg_path = /Scheduled Tasks/i OR
      reg_path = /\\AppInit_DLLs/i OR
      reg_path = /\\NetworkProvider\\Order/i OR
      reg_path = /\\Image File Execution/i OR
      reg_path = /TESTSIGNING/i
    ), 1, 0
  )
| eval is_self_deletion := if(
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2) AND
    CommandLine = /cmd(\.exe)?\s+\/c\s+del/i AND
    CommandLine = /\.exe/i,
    1, 0
  )
| eval is_reg_delete_cmd := if(
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2) AND (
      CommandLine = /reg(\.exe)?\s+delete/i OR
      CommandLine = /Remove-ItemProperty/i OR
      CommandLine = /Remove-Item.+(HKLM|HKCU)/i
    ), 1, 0
  )
| eval is_force_delete := if(
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2) AND
    (CommandLine = /del\s+\/f/i OR CommandLine = /erase\s+\/f/i),
    1, 0
  )
| eval suspicion_score := is_reg_deletion_target + is_self_deletion + is_reg_delete_cmd + is_force_delete
| where suspicion_score > 0
| eval detection_reason := case(
    is_reg_deletion_target = 1, "registry_key_deletion_persistence",
    is_self_deletion = 1, "self_deletion_executable",
    is_reg_delete_cmd = 1, "registry_cleanup_command",
    is_force_delete = 1, "force_file_deletion",
    true(), "indicator_removal"
  )
| groupBy(
    [ComputerName, UserName, aid, #event_simpleName, CommandLine, reg_path, detection_reason],
    function=[
      count(as="event_count"),
      max(suspicion_score, as="max_score"),
      max(@timestamp, as="last_seen")
    ]
  )
| sort max_score desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Platform CrowdStrike Falcon Intelligence Telemetry

Required Tables

RegistryOperationDelete RegistryOperationCreate ProcessRollup2 SyntheticProcessRollup2

False Positives

CrowdStrike Falcon sensor quarantine cleanup or remediation actions removing malware-associated registry keys may generate RegistryOperationDelete events on persistence paths
Windows Installer and MSI package removal routinely deletes Run key entries and service registrations as part of legitimate software uninstall sequences
Scripted system hardening tools running CIS benchmark or DISA STIG automation that remove insecure registry keys and legacy application entries using reg delete

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1070 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Indicator Removal

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (10)

Same Tactic: Defense Evasion

Popular Detections