Indicator Removal on Host

Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.

ID: T0872
Sub-techniques:  No sub-techniques
Tactic: Evasion
Platforms: Human-Machine Interface, Safety Instrumented System/Protection Relay
Version: 1.0
Created: 21 May 2020
Last Modified: 06 May 2022

Procedure Examples

ID Name Description
S0607 KillDisk

KillDisk deletes application, security, setup, and system event logs from Windows systems. [1]

S1009 Triton

Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. [2]


ID Mitigation Description
M0922 Restrict File and Directory Permissions

Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. [3] [4]


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Deletion
File Metadata
File Modification
DS0029 Network Traffic Network Traffic Content
DS0009 Process OS API Execution
Process Creation
DS0002 User Account User Account Authentication
DS0024 Windows Registry Windows Registry Key Deletion
Windows Registry Key Modification