Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1070 | Indicator Removal |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| UEM-10 | Software Firewall | mitigates | T1070 | Indicator Removal |
Comments
This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active.
References
|
| LOG-10 | Audit Records Protection | mitigates | T1070 | Indicator Removal |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
References
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1070 | Indicator Removal |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
|
| LOG-02 | Audit Logs Protection | mitigates | T1070 | Indicator Removal |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
References
|
| DSP-16 | Data Retention and Deletion | mitigates | T1070 | Indicator Removal |
Comments
This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses.
In terms of mitigation, automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1070.002 | Clear Linux or Mac System Logs | 3 |
| T1070.007 | Clear Network Connection History and Configurations | 3 |
| T1070.008 | Clear Mailbox Data | 1 |
| T1070.001 | Clear Windows Event Logs | 3 |
| T1070.009 | Clear Persistence | 2 |