Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.
|M0922||Restrict File and Directory Permissions|
|ID||Data Source||Data Component|
|DS0029||Network Traffic||Network Traffic Content|
|DS0009||Process||OS API Execution|
|DS0002||User Account||User Account Authentication|
|DS0024||Windows Registry||Windows Registry Key Deletion|
|Windows Registry Key Modification|