Indicator Removal on Host
|Indicator Removal on Host|
|Platform||Linux, macOS, Windows|
|Data Sources||File monitoring, Process command-line parameters, Process monitoring|
|Defense Bypassed||Anti-virus, Log analysis, Host intrusion prevention systems|
Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
- APT28 has cleared event logs using the commands
wevtutil cl Systemand
wevtutil cl Security.1
- APT29 used multiple versions of malware, and also minimized re-use of commonly-identified indicators like MD5s and C2s.2
- APT29 used SDelete to remove artifacts from victims.2
- APT32 has cleared select event log entries.3
- Dragonfly deleted system, security, terminal services, remote services, and audit logs from a victim.4
- FIN5 has cleared event logs from victims.5
- FIN8 has cleared logs during post compromise cleanup activities.6
- The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.7
- Hydraq creates a backdoor through which remote attackers can clear all system event logs.89
- Misdat is capable of deleting Registry keys used for persistence.10
- Orz can overwrite Registry settings to reduce its visibility on the victim.11
- After encrypting log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.12
- Pupy has a module to clear event logs with PowerShell.13
- RTM has the ability to remove Registry entries that it created during execution.14
- gh0st RAT is able to wipe event logs.15
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system will require different detection mechanisms.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.