Technique on mitre.org

T1070: Indicator Removal

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

pt_application_firewall: PT-CR-635: Web_Request_Missing_Useragent: A connection without browser information pt_application_firewall: PT-CR-633: Web_Headless_Browser_Detected: A headless (non-GUI) connection attempt mysql_database: PT-CR-620: MySQL_Audit_Table_Truncate: Attempt to truncate an audit table microsoft_exchange: PT-CR-2354: Exchange_Journal_Rule_Actions: A user performed an action with a journal rule in Exchange. This could be an attacker's attempt to hide their actions or disrupt availability of system and network resources.

Subtechniques

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0003	Data source and component	Scheduled Job: Scheduled Job Modification	Description	Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.

ID	DS0018	Data source and component	Firewall: Firewall Rule Modification	Description	Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.

ID	DS0002	Data source and component	User Account: User Account Authentication	Description	Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

ID	DS0022	Data source and component	File: File Metadata	Description	Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor logs for abnormal modifications to application settings, such as the creation of malicious Exchange transport rules.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

ID	DS0022	Data source and component	File: File Deletion	Description	Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Deletion	Description	Monitor windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

ID	DS0002	Data source and component	User Account: User Account Deletion	Description	Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., `Event ID 4726 - A user account was deleted`). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.

ID	Data source and component	Description
DS0003	Scheduled Job: Scheduled Job Modification	Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.
DS0018	Firewall: Firewall Rule Modification	Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.
DS0002	User Account: User Account Authentication	Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0022	File: File Metadata	Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0009	Process: OS API Execution	Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0015	Application Log: Application Log Content	Monitor logs for abnormal modifications to application settings, such as the creation of malicious Exchange transport rules.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0022	File: File Modification	Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0022	File: File Deletion	Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0009	Process: Process Creation	Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0024	Windows Registry: Windows Registry Key Deletion	Monitor windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0002	User Account: User Account Deletion	Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., `Event ID 4726 - A user account was deleted`). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.

Mitigation

ID	M1041	Name	Encrypt Sensitive Information	Description	Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

ID	M1029	Name	Remote Data Storage	Description	Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

ID	M1022	Name	Restrict File and Directory Permissions	Description	Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

ID	Name	Description
M1041	Encrypt Sensitive Information	Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
M1029	Remote Data Storage	Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
M1022	Restrict File and Directory Permissions	Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.