1. Home
  2. Techniques
  3. Enterprise
  4. Indicator Removal on Host

Indicator Removal on Host

ID Name
T1070.001 Clear Windows Event Logs
T1070.002 Clear Linux or Mac System Logs
T1070.003 Clear Command History
T1070.004 File Deletion
T1070.005 Network Share Connection Removal
T1070.006 Timestomp

Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.

These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

ID: T1070
Sub-techniques:  T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006
Tactic: Defense Evasion
Platforms: Containers, Linux, Windows, macOS
Defense Bypassed: Anti-virus, Host intrusion prevention systems, Log analysis
CAPEC ID: CAPEC-93
Contributors: Brad Geesaman, @bradgeesaman; Ed Williams, Trustwave, SpiderLabs
Version: 1.2
Created: 31 May 2017
Last Modified: 27 July 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
G0016 APT29

APT29 removed evidence of email export requests using Remove-MailboxExportRequest.[1] They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.[2]
S0239 Bankshot

Bankshot deletes all artifacts associated with the malware from the infected machine.[3]
S0534 Bazar

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.[4]

S0089 BlackEnergy

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.[5]
S0527 CSPY Downloader

CSPY Downloader has the ability to remove values it writes to the Registry.[6]
S0568 EVILNUM

EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack.[7]
S0477 Goopy

Goopy has the ability to delete emails used for C2 once the content has been copied.[8]

S0632 GrimAgent

GrimAgent can delete previously created tasks on a compromised host.[9]
S0449 Maze

Maze has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[10]

S0500 MCMD

MCMD has the ability to remove set Registry Keys.[11]
S0455 Metamorfo

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.[12]

S0083 Misdat

Misdat is capable of deleting Registry keys used for persistence.[13]
S0385 njRAT

njRAT is capable of deleting objects related to itself (registry keys, files, and firewall rules) on the victim.[14][15]
S0229 Orz

Orz can overwrite Registry settings to reduce its visibility on the victim.[16]
S0517 Pillowmint

Pillowmint can uninstall the malicious service from an infected machine.[17]
S0428 PoetRAT

PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.[18]
S0113 Prikormka

After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.[19]
S0448 Rising Sun

Rising Sun can clear process memory by overwriting it with junk bytes.[20]

S0148 RTM

RTM has the ability to remove Registry entries that it created during execution.[21]
S0461 SDBbot

SDBbot has the ability to clean up and remove data structures from a compromised host.[22]
S0596 ShadowPad

ShadowPad has deleted arbitrary Registry values.[23]
S0589 Sibot

Sibot will delete an associated registry key if a certain server response is received.[24]
S0603 Stuxnet

Stuxnet removes itself from the system through a DLL export by deleting specific files and stored procedures.[25]
S0559 SUNBURST

SUNBURST removed IFEO values to clean up traces of execution.[26]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
M1029 Remote Data Storage

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

M1022 Restrict File and Directory Permissions

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Deletion
File Metadata
File Modification
DS0029 Network Traffic Network Traffic Content
DS0009 Process OS API Execution
Process Creation
DS0002 User Account User Account Authentication
DS0024 Windows Registry Windows Registry Key Deletion
Windows Registry Key Modification

File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms.

References

  1. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  2. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  3. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  4. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  5. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  6. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  7. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved January 28, 2021.
  8. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  9. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  10. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  11. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  12. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  13. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  1. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  2. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  3. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  4. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  5. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  6. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  7. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  8. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  9. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  10. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  11. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  12. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  13. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.