Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
ID | Name | Description |
---|---|---|
G1023 | APT5 |
APT5 has used the THINBLOOD utility to clear SSL VPN log files located at |
S0239 | Bankshot |
Bankshot deletes all artifacts associated with the malware from the infected machine.[3] |
S0089 | BlackEnergy |
BlackEnergy has removed the watermark associated with enabling the |
S0527 | CSPY Downloader |
CSPY Downloader has the ability to remove values it writes to the Registry.[5] |
C0029 | Cutting Edge |
During Cutting Edge, threat actors cleared logs to remove traces of their activity and restored compromised systems to a clean state to bypass manufacturer mitigations for CVE-2023-46805 and CVE-2024-21887.[6][7] |
S0673 | DarkWatchman |
DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history.[8] |
S0695 | Donut |
Donut can erase file references to payloads in-memory after being reflectively loaded and executed.[9] |
S0568 | EVILNUM |
EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack.[10] |
S0696 | Flagpro |
Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.[11] |
S1044 | FunnyDream |
FunnyDream has the ability to clean traces of malware deployment.[12] |
S0697 | HermeticWiper |
HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.[13][14] |
G0032 | Lazarus Group |
Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked.[15] |
S0449 | Maze |
Maze has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[16] |
S0455 | Metamorfo |
Metamorfo has a command to delete a Registry key it uses, |
S0691 | Neoichor |
Neoichor can clear the browser history on a compromised host by changing the |
S0229 | Orz |
Orz can overwrite Registry settings to reduce its visibility on the victim.[19] |
S0448 | Rising Sun |
Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.[20] |
S1085 | Sardonic |
Sardonic has the ability to delete created WMI objects to evade detections.[21] |
S0461 | SDBbot |
SDBbot has the ability to clean up and remove data structures from a compromised host.[22] |
S0596 | ShadowPad | |
S0589 | Sibot |
Sibot will delete an associated registry key if a certain server response is received.[24] |
S0692 | SILENTTRINITY |
SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.[25] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.[26] |
S0603 | Stuxnet |
Stuxnet can delete OLE Automation and SQL stored procedures used to store malicious payloads.[27] |
S0559 | SUNBURST |
SUNBURST removed HTTP proxy registry values to clean up traces of execution.[28] |
ID | Mitigation | Description |
---|---|---|
M1041 | Encrypt Sensitive Information |
Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
M1029 | Remote Data Storage |
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
M1022 | Restrict File and Directory Permissions |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Monitor logs for abnormal modifications to application settings, such as the creation of malicious Exchange transport rules. |
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
DS0022 | File | File Deletion |
Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
File Metadata |
Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
||
File Modification |
Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
||
DS0018 | Firewall | Firewall Rule Modification |
Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic. |
DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
DS0009 | Process | OS API Execution |
Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
Process Creation |
Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
||
DS0003 | Scheduled Job | Scheduled Job Modification |
Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system. |
DS0002 | User Account | User Account Authentication |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
User Account Deletion |
Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible. |
||
DS0024 | Windows Registry | Windows Registry Key Deletion |
Monitor windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
Windows Registry Key Modification |
Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |