Detect Indicator Removal in Splunk
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary's actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Canonical reference
- https://attack.mitre.org/techniques/T1070/
SPL Detection Query
index=wineventlog
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
OR sourcetype="WinEventLog:Security")
| eval is_reg_event=if(EventCode IN (12, 13, 14) AND sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", 1, 0)
| eval is_proc_event=if(EventCode=1 AND sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", 1, 0)
| eval is_sec_proc=if(EventCode=4688 AND sourcetype="WinEventLog:Security", 1, 0)
| where is_reg_event=1 OR is_proc_event=1 OR is_sec_proc=1
| eval CommandLine=coalesce(CommandLine, NewProcessName)
| eval RegistryPath=coalesce(TargetObject, ObjectName, "")
| eval EventType=case(
is_reg_event=1 AND EventCode=12, "RegistryKeyDeleted",
is_reg_event=1 AND EventCode=13, "RegistryValueSet",
is_reg_event=1 AND EventCode=14, "RegistryKeyRenamed",
is_proc_event=1 OR is_sec_proc=1, "ProcessCreation",
true(), "Unknown"
)
| eval RegCleanup=if(
EventType="RegistryKeyDeleted" AND (
match(RegistryPath, "(\\\\Run\\\\|\\\\RunOnce\\\\|\\\\Services\\\\|\\\\Scheduled Tasks|\\\\AppInit_DLLs|NetworkProvider\\\\Order|Internet Explorer\\\\notes|Image File Execution|TESTSIGNING)")
), 1, 0
)
| eval SelfDeletion=if(
EventType="ProcessCreation" AND match(lower(CommandLine), "(cmd(\.exe)?\s+/c\s+del|/c\s+del\s+\".+\.exe\"|del\s+/f|erase\s+/f)")
AND match(lower(CommandLine), "\.exe"), 1, 0
)
| eval RegDeleteCmd=if(
EventType="ProcessCreation" AND match(lower(CommandLine), "(reg(\.exe)?\s+delete|remove-itemproperty|remove-item.+(hklm|hkcu))"), 1, 0
)
| eval SuspicionScore=RegCleanup + SelfDeletion + RegDeleteCmd
| where SuspicionScore > 0
| eval DetectionReason=mvappend(
if(RegCleanup=1, "registry_key_deletion_persistence_path", null()),
if(SelfDeletion=1, "self_deletion_pattern", null()),
if(RegDeleteCmd=1, "registry_delete_command", null())
)
| table _time, host, User, EventType, Image, CommandLine, ParentImage, ParentCommandLine,
RegistryPath, DetectionReason, SuspicionScore
| sort - _timeDetects indicator removal activity using Sysmon registry events (Event IDs 12/13/14) and process creation events (Event ID 1), supplemented by Security Event ID 4688. Identifies three signals: (1) registry key deletion targeting persistence-related paths, (2) self-deletion command patterns where an executable deletes itself via cmd /c del, and (3) reg.exe or PowerShell Remove-Item commands targeting registry hives. A SuspicionScore field aggregates signals for analyst prioritization. Covers techniques used by ShadowPad, Metamorfo, Mustang Panda, and SILENTTRINITY.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software uninstallers that legitimately remove their own registry run keys and service entries during clean uninstallation
- IT management tools (SCCM, Intune, Group Policy) that delete temporary registry values as part of deployment or policy application
- System cleanup utilities (CCleaner, Windows Disk Cleanup) that remove cached artifacts and registry entries as part of routine maintenance
- Developers running build/clean scripts that delete test artifacts, temporary executables, and configuration entries
- Self-updating software that deletes old version run keys before writing new ones during an update cycle
Other platforms for T1070
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Registry Key Self-Cleanup — Delete Run Key
Expected signal: Sysmon Event ID 12 (RegistryEvent - Object Create/Delete): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech-test, EventType=DeleteValue. Sysmon Event ID 1: two cmd/reg.exe process creation events. Security Event ID 4657 (if object access auditing is enabled): ObjectName matching the Run key path.
- Test 2Executable Self-Deletion via cmd.exe
Expected signal: Sysmon Event ID 1: Process creation for df00tech-cleanup-test.exe. Sysmon Event ID 1: cmd.exe with CommandLine containing 'del /f /q' and the .exe path. Sysmon Event ID 11: file create for df00tech-cleanup-test.exe. Sysmon Event ID 23 (if configured): FileDelete event for df00tech-cleanup-test.exe showing the file was archived by Sysmon before deletion.
- Test 3PowerShell Registry Key Deletion
Expected signal: Sysmon Event ID 12 (RegistryEvent - Create/Delete): EventType=DeleteKey, TargetObject=HKCU\Software\Microsoft\Internet Explorer\notes. Sysmon Event ID 1: powershell.exe with CommandLine containing 'Remove-Item' and 'Internet Explorer\notes'. PowerShell ScriptBlock Log Event ID 4104 with full script content showing the create and delete sequence.
- Test 4Drop-Execute-Delete Pattern in Temp Directory
Expected signal: Sysmon Event ID 11: file creation of svcupdate32.exe in C:\Users\Public\. Sysmon Event ID 1: execution of svcupdate32.exe. Sysmon Event ID 1: cmd.exe with del command. Sysmon Event ID 23 (FileDelete, if configured): svcupdate32.exe deletion. KQL hunting query matches execution in Public directory followed by file deletion within 60 minutes.
- Test 5Simulate BPFDoor Environment Variable Clearing
Expected signal: Auditd syscall event for open(2) with flags O_WRONLY on /proc/<PID>/environ path. Syslog entry if auditd is configured to watch /proc/*/environ with inode watches. Linux audit event type=PATH with name matching /proc/[0-9]+/environ.
References (12)
- https://attack.mitre.org/techniques/T1070/
- https://www.sentinelone.com/labs/operation-bleeding-bear/
- https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get-installer-tool
- https://sandfly.io/linux-threat-hunting-with-bpfdoor/
- https://securelist.com/shadowpad-in-corporate-networks/81432/
- https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
- https://www.welivesecurity.com/en/eset-research/a-journey-to-the-darkside-the-hermetic-wiper-malware/
- https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1070
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
- https://github.com/TheWover/donut
Unlock Pro Content
Get the full detection package for T1070 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (10)
- T1070.001Clear Windows Event Logs
- T1070.002Clear Linux or Mac System Logs
- T1070.003Clear Command History
- T1070.004File Deletion
- T1070.005Network Share Connection Removal
- T1070.006Timestomp
- T1070.007Clear Network Connection History and Configurations
- T1070.008Clear Mailbox Data
- T1070.009Clear Persistence
- T1070.010Relocate Malware