Indicator Removal on Host
|Indicator Removal on Host|
|Platform||Linux, macOS, Windows|
|Data Sources||File monitoring, Process command-line parameters, Process monitoring|
|Defense Bypassed||Anti-virus, Log analysis, Host intrusion prevention systems|
Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
- APT28 has cleared event logs using the commands
wevtutil cl Systemand
wevtutil cl Security.1
- APT29 used sdelete to remove artifacts from victims.2
- APT29 used multiple versions of malware, and also minimized re-use of commonly-identified indicators like MD5s and C2s.2
- Dragonfly deleted system, security, terminal services, remote services, and audit logs from a victim.3
- FIN5 has cleared event logs from victims.4
- The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.5
- Misdat is capable of deleting Registry keys used for persistence.6
- After encrypting log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.7
- RTM has the ability to remove Registry entries that it created during execution.8
- gh0st RAT is able to wipe event logs.9
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system will require different detection mechanisms.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.