Indicator Removal on Host

From enterprise
Jump to: navigation, search
Indicator Removal on Host
Technique
ID T1070
Tactic Defense Evasion
Platform Linux, macOS, Windows
Data Sources File monitoring, Process command-line parameters, Process monitoring
Defense Bypassed Anti-virus, Log analysis, Host intrusion prevention systems
CAPEC ID CAPEC-93

Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.

Examples

  • APT28 has cleared event logs using the commands wevtutil cl System and wevtutil cl Security.1
  • APT29 used SDelete to remove artifacts from victims.2
  • APT29 used multiple versions of malware, and also minimized re-use of commonly-identified indicators like MD5s and C2s.2
  • APT32 has cleared select event log entries.3
  • Dragonfly deleted system, security, terminal services, remote services, and audit logs from a victim.4
  • FIN5 has cleared event logs from victims.5
  • FIN8 has cleared logs during post compromise cleanup activities.6
  • The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.7
  • Hydraq creates a backdoor through which remote attackers can clear all system event logs.89
  • Misdat is capable of deleting Registry keys used for persistence.10
  • Orz can overwrite Registry settings to reduce its visibility on the victim.11
  • After encrypting log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.12
  • Pupy has a module to clear event logs with PowerShell.13
  • RTM has the ability to remove Registry entries that it created during execution.14
  • gh0st RAT is able to wipe event logs.15

Mitigation

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

Detection

File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system will require different detection mechanisms.

References