DET0184: Behavioral Detection of Indicator Removal Across Platforms
DET0184 is a detection strategy for spotting behavior associated with Indicator Removal: attempts to delete or alter evidence so an intrusion is harder to...
Analyst context for executives and security teams
DET0184 is a detection strategy for spotting behavior associated with Indicator Removal: attempts to delete or alter evidence so an intrusion is harder to investigate. For leaders, the significance is not just “log deletion”; it is whether the organization can still reconstruct events when an adversary tries to reduce traces across supported environments such as Containers, ESXi, Linux, and macOS as identified in the related ATT&CK technique.
Executive priority
Prioritize this as an incident readiness and audit-evidence issue. If command histories, log entries, or file metadata can be selectively changed without alerting or independent retention, response teams may lose the timeline needed for containment, legal review, and control validation. Executives should ask whether critical systems have tamper-resistant logging, whether SOC alerts cover evidence-removal behavior, and whether IR playbooks account for incomplete or manipulated artifacts.
Technical view
Validate detection coverage around the related technique T1070 Indicator Removal, especially selective deletion or modification of artifacts that would normally support investigation. Because the detection strategy object itself has no official detection text and no directly specified platforms, technical implementation should be driven by the related technique context: Containers, ESXi, Linux, and macOS. SOC and IR teams should test whether changes to command histories, log entries, and file metadata produce observable events and whether those events survive local tampering.
Likely telemetry
- Endpoint/file integrity events showing deletion, truncation, permission changes, timestamp changes, or metadata modification
- Operating system audit logs for log file access, clearing, or modification
- Shell and command history artifacts where available
- Container runtime and host audit events relevant to file/log manipulation
- ESXi management and host logs where retained
Detection direction
- Correlate suspicious artifact modification with user, process, host, and time context rather than alerting only on any file deletion.
- Tune for selective or anomalous changes to investigative artifacts, including command histories, log entries, and file metadata referenced by the related technique.
- Watch for telemetry gaps: a sudden absence of expected logs can be as important as an explicit deletion event.
- Validate coverage separately for Containers, ESXi, Linux, and macOS where those platforms exist, because artifact locations and logging models differ.
- Account for legitimate administrative maintenance, log rotation, privacy workflows, and troubleshooting activity to reduce false positives.
Mitigation priorities
- Centralize and protect logs so local deletion or modification does not erase the only copy of evidence.
- Restrict permissions to modify command histories, system logs, and security-relevant metadata to appropriate administrative roles.
- Use retention, integrity monitoring, and time synchronization to make suspicious changes easier to identify during investigations.
- Define IR procedures for suspected indicator removal, including preservation of volatile evidence and review of centralized telemetry gaps.
- Regularly test whether SOC detections and investigation workflows still function when local artifacts are missing or altered.
Analyst notes and limits
The ATT&CK object is a detection strategy named Behavioral Detection of Indicator Removal Across Platforms and is linked to T1070 Indicator Removal. The relationship context provides the actionable defensive framing: adversaries may selectively delete or modify artifacts such as command histories, log entries, or file metadata to reduce indications of their presence while preserving an appearance of normal behavior.
The supplied detection strategy has no official description, no official detection text, and no directly specified platforms or tactics. Platform and tactic context comes only from the relationship to T1070. Local engineering is required to identify exact artifact paths, log sources, retention controls, and expected administrative behavior.
Behavioral Detection of Indicator Removal Across Platforms
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070 | Indicator Removal | This object detects Indicator Removal. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6f588cd79e1c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0184Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.