1. Home
  2. ATT&CK Techniques
  3. T1070 Indicator Removal on Host

T1070 Indicator Removal on Host Mappings

Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.

These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1070 Indicator Removal on Host
AC-17 Remote Access Protects T1070 Indicator Removal on Host
AC-18 Wireless Access Protects T1070 Indicator Removal on Host
AC-19 Access Control for Mobile Devices Protects T1070 Indicator Removal on Host
AC-2 Account Management Protects T1070 Indicator Removal on Host
AC-3 Access Enforcement Protects T1070 Indicator Removal on Host
AC-5 Separation of Duties Protects T1070 Indicator Removal on Host
AC-6 Least Privilege Protects T1070 Indicator Removal on Host
CA-7 Continuous Monitoring Protects T1070 Indicator Removal on Host
CM-2 Baseline Configuration Protects T1070 Indicator Removal on Host
CM-6 Configuration Settings Protects T1070 Indicator Removal on Host
CP-6 Alternate Storage Site Protects T1070 Indicator Removal on Host
CP-7 Alternate Processing Site Protects T1070 Indicator Removal on Host
CP-9 System Backup Protects T1070 Indicator Removal on Host
SC-36 Distributed Processing and Storage Protects T1070 Indicator Removal on Host
SC-4 Information in Shared System Resources Protects T1070 Indicator Removal on Host
SI-12 Information Management and Retention Protects T1070 Indicator Removal on Host
SI-23 Information Fragmentation Protects T1070 Indicator Removal on Host
SI-3 Malicious Code Protection Protects T1070 Indicator Removal on Host
SI-4 System Monitoring Protects T1070 Indicator Removal on Host
SI-7 Software, Firmware, and Information Integrity Protects T1070 Indicator Removal on Host

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1070 Indicator Removal on Host

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_inspector Amazon Inspector technique_scores T1070 Indicator Removal on Host
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
  1. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1070.003 Clear Command History 12
T1070.002 Clear Linux or Mac System Logs 24
T1070.001 Clear Windows Event Logs 23
T1070.004 File Deletion 2
T1070.005 Network Share Connection Removal 2
T1070.006 Timestomp 2