title: Indicator Removal (T1070)
id: df00tech-t1070
status: experimental
description: "Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary's actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred."
references:
  - https://attack.mitre.org/techniques/T1070/
  - https://df00tech.com/detections/T1070
author: df00tech
date: 2026/04/13
tags:
  - attack.t1070
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software uninstallers that legitimately remove their own registry run keys and service entries during clean uninstallation
  - "IT management tools (SCCM, Intune, Group Policy) that delete temporary registry values as part of deployment or policy application"
  - "System cleanup utilities (CCleaner, Windows Disk Cleanup) that remove cached artifacts and registry entries as part of routine maintenance"
  - "Developers running build/clean scripts that delete test artifacts, temporary executables, and configuration entries"
  - Self-updating software that deletes old version run keys before writing new ones during an update cycle
level: high