# Indicator Removal on Host

Indicator Removal on Host
Technique
ID T1070
Tactic Defense Evasion
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X
Data Sources File monitoring, Process command-line parameters, Process monitoring
Defense Bypassed Anti-virus, Log analysis, Host intrusion prevention systems
CAPEC ID CAPEC-93

Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.

## Examples

• APT28 has cleared event logs using the commands wevtutil cl System and wevtutil cl Security.1
• APT29 used sdelete to remove artifacts from victims.2
• APT29 used multiple versions of malware, and also minimized re-use of commonly-identified indicators like MD5s and C2s.2
• The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.3
• Misdat is capable of deleting Registry keys used for persistence.4
• After encrypting log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.5
• RTM has the ability to remove Registry entries that it created during execution.6
• gh0st RAT is able to wipe event logs.7

## Mitigation

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

## Detection

File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system will require different detection mechanisms.