Detect Indicator Removal in Sumo Logic CSE
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary's actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Canonical reference
- https://attack.mitre.org/techniques/T1070/
Sumo Detection Query
(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security)
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<TargetObject>*</TargetObject>" as registry_path nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<Image>*</Image>" as process_image nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<User>*</User>" as user_name nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
| where event_id in ("12", "14", "1", "4688")
| eval is_reg_deletion = if(
event_id in ("12", "14") and (
registry_path matches "(?i).*\\\\(Run|RunOnce)\\\\.*" or
registry_path matches "(?i).*\\\\Services\\\\.*" or
registry_path matches "(?i).*Scheduled Tasks.*" or
registry_path matches "(?i).*AppInit_DLLs.*" or
registry_path matches "(?i).*NetworkProvider\\\\Order.*" or
registry_path matches "(?i).*Internet Explorer\\\\notes.*" or
registry_path matches "(?i).*Image File Execution.*" or
registry_path matches "(?i).*TESTSIGNING.*"
), 1, 0
)
| eval is_self_deletion = if(
event_id in ("1", "4688") and
command_line matches "(?i).*(cmd(\.exe)?\\s+/c\\s+del|/c\\s+del\\s+\".+\.exe\"|del\\s+/f|erase\\s+/f).*" and
command_line matches "(?i).*\.exe.*",
1, 0
)
| eval is_reg_cmd = if(
event_id in ("1", "4688") and
command_line matches "(?i).*(reg(\.exe)?\\s+delete|remove-itemproperty|remove-item.+(hklm|hkcu)).*",
1, 0
)
| eval suspicion_score = is_reg_deletion + is_self_deletion + is_reg_cmd
| where suspicion_score > 0
| eval detection_reasons = concat(
if(is_reg_deletion = 1, "registry_key_deletion_persistence; ", ""),
if(is_self_deletion = 1, "self_deletion_pattern; ", ""),
if(is_reg_cmd = 1, "registry_delete_command; ", "")
)
| table _time, hostname, user_name, event_id, process_image, command_line, parent_image, registry_path, detection_reasons, suspicion_score
| sort by _time descDetects T1070 Indicator Removal in Sumo Logic by parsing Sysmon XML event fields from Windows Sysmon operational and Security event logs. Evaluates registry key deletion events (EventID 12 and 14) targeting known persistence registry paths, and process creation events (EventID 1 and 4688) for reg delete commands, PowerShell Remove-ItemProperty, and self-deletion patterns. Produces a per-event suspicion score and labeled detection reasons to assist analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Application uninstallers removing their run key entries or service registrations from the registry as part of legitimate software removal workflows
- Patch management systems that delete stale registry entries as part of pre-update cleanup before installing new software versions
- Penetration testing or red team tools cleaning up their own artifacts after authorized testing exercises using standard Windows commands
Other platforms for T1070
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Registry Key Self-Cleanup — Delete Run Key
Expected signal: Sysmon Event ID 12 (RegistryEvent - Object Create/Delete): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\df00tech-test, EventType=DeleteValue. Sysmon Event ID 1: two cmd/reg.exe process creation events. Security Event ID 4657 (if object access auditing is enabled): ObjectName matching the Run key path.
- Test 2Executable Self-Deletion via cmd.exe
Expected signal: Sysmon Event ID 1: Process creation for df00tech-cleanup-test.exe. Sysmon Event ID 1: cmd.exe with CommandLine containing 'del /f /q' and the .exe path. Sysmon Event ID 11: file create for df00tech-cleanup-test.exe. Sysmon Event ID 23 (if configured): FileDelete event for df00tech-cleanup-test.exe showing the file was archived by Sysmon before deletion.
- Test 3PowerShell Registry Key Deletion
Expected signal: Sysmon Event ID 12 (RegistryEvent - Create/Delete): EventType=DeleteKey, TargetObject=HKCU\Software\Microsoft\Internet Explorer\notes. Sysmon Event ID 1: powershell.exe with CommandLine containing 'Remove-Item' and 'Internet Explorer\notes'. PowerShell ScriptBlock Log Event ID 4104 with full script content showing the create and delete sequence.
- Test 4Drop-Execute-Delete Pattern in Temp Directory
Expected signal: Sysmon Event ID 11: file creation of svcupdate32.exe in C:\Users\Public\. Sysmon Event ID 1: execution of svcupdate32.exe. Sysmon Event ID 1: cmd.exe with del command. Sysmon Event ID 23 (FileDelete, if configured): svcupdate32.exe deletion. KQL hunting query matches execution in Public directory followed by file deletion within 60 minutes.
- Test 5Simulate BPFDoor Environment Variable Clearing
Expected signal: Auditd syscall event for open(2) with flags O_WRONLY on /proc/<PID>/environ path. Syslog entry if auditd is configured to watch /proc/*/environ with inode watches. Linux audit event type=PATH with name matching /proc/[0-9]+/environ.
References (12)
- https://attack.mitre.org/techniques/T1070/
- https://www.sentinelone.com/labs/operation-bleeding-bear/
- https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get-installer-tool
- https://sandfly.io/linux-threat-hunting-with-bpfdoor/
- https://securelist.com/shadowpad-in-corporate-networks/81432/
- https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
- https://www.welivesecurity.com/en/eset-research/a-journey-to-the-darkside-the-hermetic-wiper-malware/
- https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1070
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
- https://github.com/TheWover/donut
Unlock Pro Content
Get the full detection package for T1070 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (10)
- T1070.001Clear Windows Event Logs
- T1070.002Clear Linux or Mac System Logs
- T1070.003Clear Command History
- T1070.004File Deletion
- T1070.005Network Share Connection Removal
- T1070.006Timestomp
- T1070.007Clear Network Connection History and Configurations
- T1070.008Clear Mailbox Data
- T1070.009Clear Persistence
- T1070.010Relocate Malware