Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.DS-10.01 | Data-in-use protection | Mitigates | T1070 | Indicator Removal |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
PR.PS-01.06 | Encryption management practices | Mitigates | T1070 | Indicator Removal |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
References
|
PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1070 | Indicator Removal |
Comments
This diagnostic statement protects against Indicator Removal through the use of key management. Employing key protection strategies for key material used in protection of indicators, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to remove indicators of compromise.
References
|
ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1070 | Indicator Removal |
Comments
Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
ID.AM-08.05 | Data destruction procedures | Mitigates | T1070 | Indicator Removal |
Comments
Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
PR.PS-01.05 | Encryption standards | Mitigates | T1070 | Indicator Removal |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2023-1389 | TP-Link Archer AX-21 Command Injection Vulnerability | secondary_impact | T1070 | Indicator Removal |
Comments
CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.
References
|
CVE-2022-41128 | Microsoft Windows Scripting Languages Remote Code Execution Vulnerability | secondary_impact | T1070 | Indicator Removal |
Comments
This vulnerability is exploited by a remote adversary who entices a user with an affected version of Windows to access a malicious server. The adversary hosts a specially crafted server share or website and convinces the user to visit it, typically through an email or chat message. The adversary then crafts a malicious Microsoft Office document that embeds a remote RTF template, which fetches HTML content rendered by Internet Explorer's JScript engine. This stealthy attack vector does not require Internet Explorer as the default browser. Once the victim opens the document and disables protected view, the adversary executes arbitrary code by triggering a type confusion error in the JScript engine. This allows the adversary to deliver malicious payloads, conduct reconnaissance, and exfiltrate data, while erasing traces of the exploit by clearing the browser cache and history. The impact on the victim includes unauthorized access to sensitive information and the potential installation of backdoors for further exploitation.
References
|
CVE-2021-45382 | D-Link Multiple Routers Remote Code Execution Vulnerability | secondary_impact | T1070 | Indicator Removal |
Comments
This remote command execution vulnerability is exploited by an unauthenticated, remote adversary via the DDNS function in ncc2 binary file. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode and IZ1H9 to cause a distributed denial of service attack.
In the IZ1H9 attack, once the attackers took advantage of the vulnerability, they injected the IZ1H9 payload into the device. This program included instructions to download another script from a specific web address. When this script ran, it erased records to cover up the malicious actions and then downloaded additional software designed for different types of devices. The script also changed the device's settings to block certain network connections, making it more difficult to remove the malware. After these steps, the infected device connected to a control server, waiting for instructions on which type of denial-of-service attack to carry out, such as disrupting services using various internet protocols.
In the Beastmode attack, exploiting the vulnerability led to the download and execution of a script called "ddns.sh." This script then fetched the Beastmode program, which was saved and run with specific settings. These settings allowed the infected device to join a subgroup within the larger botnet, helping the attackers manage and assess the effectiveness of their exploits. Once devices were compromised by Beastmode, the botnet could be used to launch various types of denial-of-service attacks, similar to those seen in other Mirai-based botnets.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Export data | Export data to another site or system | related-to | T1070 | Indicator Removal |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1070 | Indicator Removal |
Comments
This control provides specific minimal coverage for two of this technique's sub-techniques, without additional coverage of its procedure examples, resulting in an overall score of Minimal.
The Microsoft Sentinel Analytics "Azure DevOps Agent Pool Created Then Deleted" query can detect specific suspicious activity for DevOps Agent Pool. This is close to this technique's File Deletion sub-technique, but not a complete match.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1070 | Indicator Removal |
Comments
This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1070 | Indicator Removal |
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
defender_for_containers | Microsoft Defender for Containers | technique_scores | T1070 | Indicator Removal |
Comments
This control may alert on deletion of Kubernetes events. Attackers might delete those events for hiding their operations in the cluster. There is no relevant sub-technique for this control but the parent applies.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1070 | Indicator Removal |
Comments
Google Security Operations is able to trigger an alert when logs are cleared from the infrastructure.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral
References
|
security_command_center | Security Command Center | technique_scores | T1070 | Indicator Removal |
Comments
SCC is able to detect when audit logging has been disabled for a resource. Adversaries may use this weakness to hide their activity and remove evidence of their presence (e.g., clear command history, clear logs, file deletion). This technique was graded as significant due to the high detect coverage and real-time temporal factor.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_inspector | Amazon Inspector | technique_scores | T1070 | Indicator Removal on Host |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PUR-AUS-E5 | Audit Solutions | Technique Scores | T1070 | Indicator Removal |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.
License Requirements:
Microsoft 365 E3 and E5
References
|
PUR-INPR-E5 | Information Protection | Technique Scores | T1070 | Indicator Removal |
Comments
Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly.
Information Protection Protects from Indicator Removal attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1070.002 | Clear Linux or Mac System Logs | 32 |
T1070.007 | Clear Network Connection History and Configurations | 14 |
T1070.003 | Clear Command History | 13 |
T1070.008 | Clear Mailbox Data | 30 |
T1070.006 | Timestomp | 4 |
T1070.001 | Clear Windows Event Logs | 33 |
T1070.005 | Network Share Connection Removal | 2 |
T1070.010 | Relocate Malware | 7 |
T1070.009 | Clear Persistence | 16 |
T1070.004 | File Deletion | 8 |