T1070 Indicator Removal on Host Mappings

Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.

These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1070 Indicator Removal on Host
AC-17 Remote Access Protects T1070 Indicator Removal on Host
AC-18 Wireless Access Protects T1070 Indicator Removal on Host
AC-19 Access Control for Mobile Devices Protects T1070 Indicator Removal on Host
AC-2 Account Management Protects T1070 Indicator Removal on Host
AC-3 Access Enforcement Protects T1070 Indicator Removal on Host
AC-5 Separation of Duties Protects T1070 Indicator Removal on Host
AC-6 Least Privilege Protects T1070 Indicator Removal on Host
CA-7 Continuous Monitoring Protects T1070 Indicator Removal on Host
CM-2 Baseline Configuration Protects T1070 Indicator Removal on Host
CM-6 Configuration Settings Protects T1070 Indicator Removal on Host
CP-6 Alternate Storage Site Protects T1070 Indicator Removal on Host
CP-7 Alternate Processing Site Protects T1070 Indicator Removal on Host
CP-9 System Backup Protects T1070 Indicator Removal on Host
SC-36 Distributed Processing and Storage Protects T1070 Indicator Removal on Host
SC-4 Information in Shared System Resources Protects T1070 Indicator Removal on Host
SI-12 Information Management and Retention Protects T1070 Indicator Removal on Host
SI-23 Information Fragmentation Protects T1070 Indicator Removal on Host
SI-3 Malicious Code Protection Protects T1070 Indicator Removal on Host
SI-4 System Monitoring Protects T1070 Indicator Removal on Host
SI-7 Software, Firmware, and Information Integrity Protects T1070 Indicator Removal on Host
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1070 Indicator Removal on Host
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1070 Indicator Removal on Host
azure_sentinel Azure Sentinel technique_scores T1070 Indicator Removal on Host
azure_defender_for_kubernetes Azure Defender for Kubernetes technique_scores T1070 Indicator Removal on Host

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1070.003 Clear Command History 11
T1070.002 Clear Linux or Mac System Logs 22
T1070.001 Clear Windows Event Logs 23
T1070.004 File Deletion 1
T1070.006 Timestomp 1