Indicator Removal on Host

From attackics
Jump to navigation Jump to search
Indicator Removal on Host
ID T0872
Tactic Evasion
Data Sources File monitoring, Process monitoring, Process command-line parameters, API monitoring, Windows event logs
Asset Human-Machine Interface, Safety Instrumented System/Protection Relay


Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.

Procedure Examples

  • Dragonfly 2.0 deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.1
  • KillDisk deletes application, security, setup, and system event logs from Windows systems.2
  • Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics.3