T1070 Indicator Removal Mappings

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1070 Indicator Removal
CM-06 Configuration Settings mitigates T1070 Indicator Removal
AC-17 Remote Access mitigates T1070 Indicator Removal
CP-06 Alternate Storage Site mitigates T1070 Indicator Removal
CP-07 Alternate Processing Site mitigates T1070 Indicator Removal
SC-36 Distributed Processing and Storage mitigates T1070 Indicator Removal
SI-23 Information Fragmentation mitigates T1070 Indicator Removal
CP-09 System Backup mitigates T1070 Indicator Removal
SC-04 Information in Shared System Resources mitigates T1070 Indicator Removal
SI-12 Information Management and Retention mitigates T1070 Indicator Removal
SI-03 Malicious Code Protection mitigates T1070 Indicator Removal
SI-07 Software, Firmware, and Information Integrity mitigates T1070 Indicator Removal
AC-16 Security and Privacy Attributes mitigates T1070 Indicator Removal
AC-18 Wireless Access mitigates T1070 Indicator Removal
CM-02 Baseline Configuration mitigates T1070 Indicator Removal
SI-04 System Monitoring mitigates T1070 Indicator Removal
AC-02 Account Management mitigates T1070 Indicator Removal
AC-03 Access Enforcement mitigates T1070 Indicator Removal
AC-05 Separation of Duties mitigates T1070 Indicator Removal
AC-06 Least Privilege mitigates T1070 Indicator Removal

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1070 Indicator Removal

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1070 Indicator Removal
Comments
Google Security Operations is able to trigger an alert when logs are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral
References
security_command_center Security Command Center technique_scores T1070 Indicator Removal
Comments
SCC is able to detect when audit logging has been disabled for a resource. Adversaries may use this weakness to hide their activity and remove evidence of their presence (e.g., clear command history, clear logs, file deletion). This technique was graded as significant due to the high detect coverage and real-time temporal factor.
References

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_inspector Amazon Inspector technique_scores T1070 Indicator Removal on Host
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1070.002 Clear Linux or Mac System Logs 24
T1070.007 Clear Network Connection History and Configurations 12
T1070.003 Clear Command History 11
T1070.008 Clear Mailbox Data 25
T1070.006 Timestomp 2
T1070.001 Clear Windows Event Logs 23
T1070.005 Network Share Connection Removal 2
T1070.010 Relocate Malware 5
T1070.009 Clear Persistence 12
T1070.004 File Deletion 2