T1070 Indicator Removal

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.DS-10.01 Data-in-use protection Mitigates T1070 Indicator Removal
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
    PR.PS-01.06 Encryption management practices Mitigates T1070 Indicator Removal
    Comments
    This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
    References
      PR.PS-01.07 Cryptographic keys and certificates Mitigates T1070 Indicator Removal
      Comments
      This diagnostic statement protects against Indicator Removal through the use of key management. Employing key protection strategies for key material used in protection of indicators, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to remove indicators of compromise.
      References
        ID.AM-08.03 Data governance and lifecycle management Mitigates T1070 Indicator Removal
        Comments
        Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
        References
          ID.AM-08.05 Data destruction procedures Mitigates T1070 Indicator Removal
          Comments
          Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
          References
            PR.PS-01.05 Encryption standards Mitigates T1070 Indicator Removal
            Comments
            This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CA-07 Continuous Monitoring mitigates T1070 Indicator Removal
              CM-06 Configuration Settings mitigates T1070 Indicator Removal
              AC-17 Remote Access mitigates T1070 Indicator Removal
              CP-06 Alternate Storage Site mitigates T1070 Indicator Removal
              CP-07 Alternate Processing Site mitigates T1070 Indicator Removal
              SC-36 Distributed Processing and Storage mitigates T1070 Indicator Removal
              SI-23 Information Fragmentation mitigates T1070 Indicator Removal
              CP-09 System Backup mitigates T1070 Indicator Removal
              SC-04 Information in Shared System Resources mitigates T1070 Indicator Removal
              SI-12 Information Management and Retention mitigates T1070 Indicator Removal
              SI-03 Malicious Code Protection mitigates T1070 Indicator Removal
              SI-07 Software, Firmware, and Information Integrity mitigates T1070 Indicator Removal
              AC-16 Security and Privacy Attributes mitigates T1070 Indicator Removal
              AC-18 Wireless Access mitigates T1070 Indicator Removal
              CM-02 Baseline Configuration mitigates T1070 Indicator Removal
              SI-04 System Monitoring mitigates T1070 Indicator Removal
              AC-02 Account Management mitigates T1070 Indicator Removal
              AC-03 Access Enforcement mitigates T1070 Indicator Removal
              AC-05 Separation of Duties mitigates T1070 Indicator Removal
              AC-06 Least Privilege mitigates T1070 Indicator Removal

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.malware.variety.Export data Export data to another site or system related-to T1070 Indicator Removal

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              alerts_for_linux_machines Alerts for Linux Machines technique_scores T1070 Indicator Removal
              Comments
              This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.
              References
              alerts_for_windows_machines Alerts for Windows Machines technique_scores T1070 Indicator Removal
              Comments
              This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
              References
              defender_for_containers Microsoft Defender for Containers technique_scores T1070 Indicator Removal
              Comments
              This control may alert on deletion of Kubernetes events. Attackers might delete those events for hiding their operations in the cluster. There is no relevant sub-technique for this control but the parent applies.
              References

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              google_secops Google Security Operations technique_scores T1070 Indicator Removal
              Comments
              Google Security Operations is able to trigger an alert when logs are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral
              References
              security_command_center Security Command Center technique_scores T1070 Indicator Removal
              Comments
              SCC is able to detect when audit logging has been disabled for a resource. Adversaries may use this weakness to hide their activity and remove evidence of their presence (e.g., clear command history, clear logs, file deletion). This technique was graded as significant due to the high detect coverage and real-time temporal factor.
              References

              AWS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              amazon_inspector Amazon Inspector technique_scores T1070 Indicator Removal on Host
              Comments
              The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
              References

              ATT&CK Subtechniques

              Technique ID Technique Name Number of Mappings
              T1070.002 Clear Linux or Mac System Logs 30
              T1070.007 Clear Network Connection History and Configurations 14
              T1070.003 Clear Command History 12
              T1070.008 Clear Mailbox Data 29
              T1070.006 Timestomp 4
              T1070.001 Clear Windows Event Logs 29
              T1070.005 Network Share Connection Removal 2
              T1070.010 Relocate Malware 6
              T1070.009 Clear Persistence 14
              T1070.004 File Deletion 3