Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.
| ID | Name | Description |
|---|---|---|
| S0607 | KillDisk |
KillDisk deletes application, security, setup, and system event logs from Windows systems. [1] |
| S1009 | Triton |
Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. [2] |
| C0030 | Triton Safety Instrumented System Attack |
In the Triton Safety Instrumented System Attack, TEMP.Veles would programmatically return the controller to a normal running state if the Triton malware failed. If the controller could not recover in a defined time window, TEMP.Veles programmatically overwrote their malicious program with invalid data.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M0922 | Restrict File and Directory Permissions |
Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. [4] [5] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
| DS0022 | File | File Deletion |
Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
| File Metadata |
Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
||
| File Modification |
Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
||
| DS0009 | Process | OS API Execution |
Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
| Process Creation |
Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
||
| DS0024 | Windows Registry | Windows Registry Key Deletion |
Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see Indicator Removal and applicable sub-techniques. |
| Windows Registry Key Modification |
Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see Indicator Removal and applicable sub-techniques. |