Detect Indicator Removal in Microsoft Sentinel
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary's actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Canonical reference
- https://attack.mitre.org/techniques/T1070/
KQL Detection Query
let RegistryCleanupPatterns = dynamic([
"reg delete", "reg.exe delete",
"Remove-ItemProperty", "Remove-Item.*HKLM", "Remove-Item.*HKCU",
"RegDeleteKey", "RegDeleteValue"
]);
let FileCleanupPatterns = dynamic([
"ProcessIdleTasks",
"advapi32.dll",
"DeleteLeftovers",
"CleanupArtifacts"
]);
let SelfDeletionPatterns = dynamic([
"cmd /c del", "cmd.exe /c del",
"/c del \"", "ping -n 1",
"del /f /q", "erase /f"
]);
// Registry deletion events
let RegDeletions = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyDeleted", "RegistryValueDeleted")
| where RegistryKey has_any (
"\\Run\\", "\\RunOnce\\", "\\Services\\",
"\\Scheduled Tasks", "\\AppInit_DLLs",
"\\NetworkProvider\\Order",
"\\Internet Explorer\\notes",
"\\CurrentVersion\\Image File Execution",
"\\TESTSIGNING", "\\user32.dll"
)
| extend DetectionSource = "RegistryDeletion"
| project Timestamp, DeviceName, AccountName, ActionType,
RegistryKey, RegistryValueName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DetectionSource;
// Process-based cleanup commands
let ProcCleanup = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (RegistryCleanupPatterns)
or ProcessCommandLine has_any (SelfDeletionPatterns)
or (InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
and ProcessCommandLine has "del" and ProcessCommandLine has ".exe")
| extend DetectionSource = "ProcessCleanupCommand"
| project Timestamp, DeviceName, AccountName,
FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DetectionSource;
// Combine results
union RegDeletions, ProcCleanup
| extend SuspicionFlags = pack_array(
iff(DetectionSource == "RegistryDeletion", "registry_key_deleted", ""),
iff(ProcessCommandLine has_any (SelfDeletionPatterns), "self_deletion_pattern", ""),
iff(ProcessCommandLine has_any (RegistryCleanupPatterns), "registry_cleanup_cmd", ""),
iff(ProcessCommandLine has "del" and ProcessCommandLine has ".exe", "executable_deletion", "")
)
| project Timestamp, DeviceName, AccountName,
DetectionSource, RegistryKey, RegistryValueName,
FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
SuspicionFlags
| sort by Timestamp descDetects broad indicator removal activity using Microsoft Defender for Endpoint tables. Monitors two primary signals: (1) registry key/value deletion targeting persistence and security-relevant registry paths using DeviceRegistryEvents, and (2) process-based artifact cleanup commands including reg delete, self-deletion patterns (cmd /c del <exe>), and Remove-Item against registry hives using DeviceProcessEvents. Results are unioned with a DetectionSource field to distinguish the signal type for triage. Targets behaviors observed in IPsec Helper, ShadowPad, SDBbot, EVILNUM, HermeticWiper, and Mustang Panda.
Data Sources
Required Tables
False Positives & Tuning
- Software uninstallers that legitimately remove their own registry run keys and service entries during clean uninstallation
- IT management tools (SCCM, Intune, Group Policy) that delete temporary registry values as part of deployment or policy application
- System cleanup utilities (CCleaner, Windows Disk Cleanup) that remove cached artifacts and registry entries as part of routine maintenance
- Developers running build/clean scripts that delete test artifacts, temporary executables, and configuration entries
- Self-updating software that deletes old version run keys before writing new ones during an update cycle
Other platforms for T1070
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Registry Key Self-Cleanup — Delete Run Key
Expected signal: Sysmon Event ID 12 (RegistryEvent - Object Create/Delete): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech-test, EventType=DeleteValue. Sysmon Event ID 1: two cmd/reg.exe process creation events. Security Event ID 4657 (if object access auditing is enabled): ObjectName matching the Run key path.
- Test 2Executable Self-Deletion via cmd.exe
Expected signal: Sysmon Event ID 1: Process creation for df00tech-cleanup-test.exe. Sysmon Event ID 1: cmd.exe with CommandLine containing 'del /f /q' and the .exe path. Sysmon Event ID 11: file create for df00tech-cleanup-test.exe. Sysmon Event ID 23 (if configured): FileDelete event for df00tech-cleanup-test.exe showing the file was archived by Sysmon before deletion.
- Test 3PowerShell Registry Key Deletion
Expected signal: Sysmon Event ID 12 (RegistryEvent - Create/Delete): EventType=DeleteKey, TargetObject=HKCU\Software\Microsoft\Internet Explorer\notes. Sysmon Event ID 1: powershell.exe with CommandLine containing 'Remove-Item' and 'Internet Explorer\notes'. PowerShell ScriptBlock Log Event ID 4104 with full script content showing the create and delete sequence.
- Test 4Drop-Execute-Delete Pattern in Temp Directory
Expected signal: Sysmon Event ID 11: file creation of svcupdate32.exe in C:\Users\Public\. Sysmon Event ID 1: execution of svcupdate32.exe. Sysmon Event ID 1: cmd.exe with del command. Sysmon Event ID 23 (FileDelete, if configured): svcupdate32.exe deletion. KQL hunting query matches execution in Public directory followed by file deletion within 60 minutes.
- Test 5Simulate BPFDoor Environment Variable Clearing
Expected signal: Auditd syscall event for open(2) with flags O_WRONLY on /proc/<PID>/environ path. Syslog entry if auditd is configured to watch /proc/*/environ with inode watches. Linux audit event type=PATH with name matching /proc/[0-9]+/environ.
References (12)
- https://attack.mitre.org/techniques/T1070/
- https://www.sentinelone.com/labs/operation-bleeding-bear/
- https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get-installer-tool
- https://sandfly.io/linux-threat-hunting-with-bpfdoor/
- https://securelist.com/shadowpad-in-corporate-networks/81432/
- https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
- https://www.welivesecurity.com/en/eset-research/a-journey-to-the-darkside-the-hermetic-wiper-malware/
- https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1070
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
- https://github.com/TheWover/donut
Unlock Pro Content
Get the full detection package for T1070 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (10)
- T1070.001Clear Windows Event Logs
- T1070.002Clear Linux or Mac System Logs
- T1070.003Clear Command History
- T1070.004File Deletion
- T1070.005Network Share Connection Removal
- T1070.006Timestomp
- T1070.007Clear Network Connection History and Configurations
- T1070.008Clear Mailbox Data
- T1070.009Clear Persistence
- T1070.010Relocate Malware