Indicator Removal on Host

Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.

These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

ID: T1070
Tactic: Defense Evasion
Platforms: Containers, Linux, Windows, macOS
Data Sources: Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, User Account: User Account Authentication, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Defense Bypassed: Anti-virus, Host intrusion prevention systems, Log analysis
CAPEC ID: CAPEC-93
Contributors: Brad Geesaman, @bradgeesaman; Ed Williams, Trustwave, SpiderLabs
Version: 1.2
Created: 31 May 2017
Last Modified: 24 April 2021

Procedure Examples

ID Name Description
G0016 APT29

APT29 removed evidence of email export requests using Remove-MailboxExportRequest.[1] They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.[2]

S0239 Bankshot

Bankshot deletes all artifacts associated with the malware from the infected machine.[3]

S0534 Bazar

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.[4]

S0089 BlackEnergy

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.[5]

S0527 CSPY Downloader

CSPY Downloader has the ability to remove values it writes to the Registry.[6]

S0568 EVILNUM

EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack.[7]

S0477 Goopy

Goopy has the ability to delete emails used for C2 once the content has been copied.[8]

S0449 Maze

Maze has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[9]

S0500 MCMD

MCMD has the ability to remove set Registry Keys.[10]

S0455 Metamorfo

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.[11]

S0083 Misdat

Misdat is capable of deleting Registry keys used for persistence.[12]

S0385 njRAT

njRAT is capable of deleting objects related to itself (registry keys, files, and firewall rules) on the victim.[13][14]

S0229 Orz

Orz can overwrite Registry settings to reduce its visibility on the victim.[15]

S0517 Pillowmint

Pillowmint can uninstall the malicious service from an infected machine.[16]

S0428 PoetRAT

PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.[17]

S0113 Prikormka

After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.[18]

S0448 Rising Sun

Rising Sun can clear process memory by overwriting it with junk bytes.[19]

S0148 RTM

RTM has the ability to remove Registry entries that it created during execution.[20]

S0461 SDBbot

SDBbot has the ability to clean up and remove data structures from a compromised host.[21]

S0596 ShadowPad

ShadowPad has deleted arbitrary Registry values.[22]

S0589 Sibot

Sibot will delete an associated registry key if a certain server response is received.[23]

S0559 SUNBURST

SUNBURST removed IFEO values to clean up traces of execution.[24]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

M1029 Remote Data Storage

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

M1022 Restrict File and Directory Permissions

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms.

References

  1. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  2. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  3. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  4. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  5. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  6. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  7. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  8. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  9. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  10. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  11. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  12. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.