Last reviewed:
T1070 is evidence destruction: clearing logs, deleting trails and scrubbing the audit record so responders can reconstruct nothing. The cloud equivalent of wiping an event log is stopping or thinning the platform audit trail. DCV's coverage concentrates on the Azure posture set: diagnostic-settings and activity-log policies, the regulatory control that an activity log exists, Log Analytics onboarding and log-retention requirements that make quiet deletion visible as a configuration change. Ship logs off the account they describe; an attacker cannot scrub what they cannot reach.
Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.
Artifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.
These actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.
Platforms: Containers, ESXi, Linux, macOS, Network Devices, Office Suite, Windows.
DCV maps 17 detections across 2 cloud providers to T1070. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| Microsoft Defender for Cloud | Azure | 5 | 0.87 |
| Azure Policy | Azure | 4 | 0.89 |
| GCP Security Command Center | GCP | 4 | 0.82 |
| Azure Regulatory Compliance | Azure | 3 | 0.90 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma has coverage metadata for 17 T1070 rules across 2 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1070, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1070 is evidence destruction: clearing logs, deleting trails and scrubbing the audit record so responders can reconstruct nothing. The cloud equivalent of wiping an event log is stopping or thinning the platform audit trail. DCV's coverage concentrates on the Azure posture set: diagnostic-settings and activity-log policies, the regulatory control that an activity log exists, Log Analytics onboarding and log-retention requirements that make quiet deletion visible as a configuration change. Ship logs off the account they describe; an attacker cannot scrub what they cannot reach.
DCV maps 17 cloud-native detections to T1070 across 2 cloud providers, drawn from Azure Policy, Azure Regulatory Compliance, GCP Chronicle, GCP Security Command Center and Microsoft Defender for Cloud.
T1070 is part of MITRE ATT&CK TA0005 Stealth: How adversaries hide activity from security controls without disabling them.
CloudSigma ships 2 validated Sigma rules for T1070 across Entra ID Audit and Okta System Log. Each rule is validated against its source SIEM dialect before publication.