Review logs and residual traces

Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code. [1] [2]

ID: T1358

Tactic: Test Capabilities

Version: 1.0

Detection

Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Adversary controls the test and defender likely has no visibility.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Adversary has full control of environment to determine what level of auditing and traces exist on a system after execution.

References

  1. Tavis Ormandy and Natalie Silvanovich. (2015, December 16). FireEye - Wormable Remote Code Execution in MIP JAR Analysis. Retrieved March 9, 2017.
  1. Infosec Institute. (2015, September 9). Covering Tracks of Attacks. Retrieved May 9, 2017.