DET0184 Behavioral Detection of Indicator Removal Across Platforms

Item	Value
ID	DET0184
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1070 (Indicator Removal)

Analytics

Windows

AN0520

Monitors sequences involving deletion/modification of logs, registry keys, scheduled tasks, or prefetch files following suspicious process activity or elevated access escalation.

Log Sources

Data Component	Name	Channel
File Deletion (DC0040)	WinEventLog:Sysmon	EventCode=23
Application Log Content (DC0038)	WinEventLog:Security	EventCode=1102
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14

Mutable Elements

Field	Description
TimeWindow	Correlate indicator removal within X mins after persistence/setup activities
TargetFilePathPattern	Customize detection to log file paths or common registry hives

Linux

AN0521

Detects deletion or overwriting of bash history, syslog, audit logs, and .ssh metadata following privilege elevation or suspicious process spawning.

Log Sources

Data Component	Name	Channel
File Deletion (DC0040)	auditd:SYSCALL	unlink, rename, open
Application Log Content (DC0038)	linux:cli	cleared or truncated .bash_history

Mutable Elements

Field	Description
MonitoredPaths	Adjust based on syslog/auditd file paths (/var/log/messages, /var/log/audit/audit.log)
UserContext	Scope to root/sudo usage or anomalous user behavior

macOS

AN0522

Detects clearing of unified logs, deletion of plist files tied to persistence, and manipulation of Terminal history after initial execution.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	macos:unifiedlog	log stream cleared or truncated
File Deletion (DC0040)	fs:fsusage	unlink, fs_delete
File Modification (DC0061)	macos:osquery	File modifications in ~/Library/Preferences/

Mutable Elements

Field	Description
PlistTargetPaths	Define which plist paths relate to LaunchAgents or LaunchDaemons
ExecutionChainDepth	Allow tuning for multi-process persistence chains

Containers

AN0523

Monitors tampering with audit logs, volumes, or mounted storage often used for side-channel logging (e.g., /var/log inside containers) post-compromise.

Log Sources

Data Component	Name	Channel
File Deletion (DC0040)	docker:daemon	container file operations
File Metadata (DC0059)	ebpf:syscalls	Unexpected container volume unmount + file deletion

Mutable Elements

Field	Description
LogMountPaths	Tune based on how logs are exported (bind-mount, overlay)
ContainerLabelScope	Limit detection to suspicious containers or runtime classes

ESXi

AN0524

Tracks suspicious use of ESXi shell commands or PowerCLI to delete logs, rotate system files, or tamper with hostd/vpxa history.

Log Sources

Data Component	Name	Channel
File Deletion (DC0040)	esxi:hostd	rm, clearlogs, logrotate

Mutable Elements

Field	Description
LogSourceType	Tune per vCenter, vSphere, ESXi CLI telemetry collection
LogPathPattern	Target specific high-value log paths (e.g., /var/log/hostd.log)

Office Suite

AN0525

Detects deletion or hiding of security-related mail rules, audit mailboxes, or calendar/log sync artifacts indicative of tampering post-intrusion.

Log Sources

Data Component	Name	Channel
Scheduled Job Modification (DC0012)	m365:exchange	Remove-InboxRule, Clear-Mailbox
Application Log Content (DC0038)	m365:unified	PurgeAuditLogs, Remove-MailboxAuditLog

Mutable Elements

Field	Description
TargetMailboxScope	Limit by VIP mailboxes or external-facing users
AuditLogDepth	Tune for log deletion following lateral movement