1. Home
  2. Techniques
  3. Enterprise
  4. Indicator Removal on Host

Indicator Removal on Host

ID Name
T1070.001 Clear Windows Event Logs
T1070.002 Clear Linux or Mac System Logs
T1070.003 Clear Command History
T1070.004 File Deletion
T1070.005 Network Share Connection Removal
T1070.006 Timestomp

Adversaries may delete or modify artifacts generated on a host system to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

ID: T1070
Sub-techniques:  T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006
Tactic: Defense Evasion
Platforms: Containers, Linux, Network, Windows, macOS
Defense Bypassed: Anti-virus, Host intrusion prevention systems, Log analysis
CAPEC ID: CAPEC-93
Contributors: Brad Geesaman, @bradgeesaman; Ed Williams, Trustwave, SpiderLabs
Version: 1.3
Created: 31 May 2017
Last Modified: 01 April 2022

Procedure Examples

ID Name Description
G0016 APT29

APT29 removed evidence of email export requests using Remove-MailboxExportRequest.[1] They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.[2]
S0239 Bankshot

Bankshot deletes all artifacts associated with the malware from the infected machine.[3]
S0534 Bazar

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.[4]

S0089 BlackEnergy

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.[5]
S0527 CSPY Downloader

CSPY Downloader has the ability to remove values it writes to the Registry.[6]
S0673 DarkWatchman

DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history.[7]
S0695 Donut

Donut can erase file references to payloads in-memory after being reflectively loaded and executed.[8]
S0568 EVILNUM

EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack.[9]
S0696 Flagpro

Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.[10]
S0477 Goopy

Goopy has the ability to delete emails used for C2 once the content has been copied.[11]

S0632 GrimAgent

GrimAgent can delete previously created tasks on a compromised host.[12]
S0697 HermeticWiper

HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.[13][14]
S0669 KOCTOPUS

KOCTOPUS can delete created registry keys as part of its cleanup procedure.[15]
G0032 Lazarus Group

Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked.[16]
S0449 Maze

Maze has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[17]

S0500 MCMD

MCMD has the ability to remove set Registry Keys.[18]
S0455 Metamorfo

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.[19]

S0083 Misdat

Misdat is capable of deleting Registry keys used for persistence.[20]
S0691 Neoichor

Neoichor can clear the browser history on a compromised host by changing the ClearBrowsingHistoryOnExit value to 1 in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy Registry key.[21]
S0385 njRAT

njRAT is capable of manipulating and deleting registry keys.[22]
S0229 Orz

Orz can overwrite Registry settings to reduce its visibility on the victim.[23]
S0517 Pillowmint

Pillowmint can uninstall the malicious service from an infected machine.[24]
S0448 Rising Sun

Rising Sun can clear process memory by overwriting it with junk bytes.[25]

S0148 RTM

RTM has the ability to remove Registry entries that it created during execution.[26]
S0461 SDBbot

SDBbot has the ability to clean up and remove data structures from a compromised host.[27]
S0596 ShadowPad

ShadowPad has deleted arbitrary Registry values.[28]
S0589 Sibot

Sibot will delete an associated registry key if a certain server response is received.[29]
S0692 SILENTTRINITY

SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.[30]
S0603 Stuxnet

Stuxnet can delete OLE Automation and SQL stored procedures used to store malicious payloads.[31]
S0559 SUNBURST

SUNBURST removed IFEO and HTTP proxy registry values to clean up traces of execution. SUNBURST also removed the firewall rules it created during execution.[32]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
M1029 Remote Data Storage

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

M1022 Restrict File and Directory Permissions

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Deletion
File Metadata
File Modification
DS0029 Network Traffic Network Traffic Content
DS0009 Process OS API Execution
Process Creation
DS0002 User Account User Account Authentication
DS0024 Windows Registry Windows Registry Key Deletion
Windows Registry Key Modification

File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms.

References

  1. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  2. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  3. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  4. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  5. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  6. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  7. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  8. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  9. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  10. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  11. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  12. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  13. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  14. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  15. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  16. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  1. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  2. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  3. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  4. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  5. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  6. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  7. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  8. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  9. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  10. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  11. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  12. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  13. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  14. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  15. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  16. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.