Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see Indicator Removal and applicable sub-techniques.
Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see Indicator Removal and applicable sub-techniques.
Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | Command | None |
| OS API Execution (DC0021) | Process | None |
| Windows Registry Key Modification (DC0063) | Windows Registry | None |
| File Metadata (DC0059) | File | None |
| Windows Registry Key Deletion (DC0045) | Windows Registry | None |
| File Deletion (DC0040) | File | None |
| File Modification (DC0061) | File | None |
| Process Creation (DC0032) | Process | None |