This site has been deprecated in favor of and will remain in place until 11/1/22.

Indicator Removal on Host

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Indicator Removal on Host
ID T0872
Tactic Evasion
Data Sources Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, User Account: User Account Authentication, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Asset Human-Machine Interface, Safety Instrumented System/Protection Relay


Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.

Procedure Examples

  • Dragonfly 2.0 deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.1
  • KillDisk deletes application, security, setup, and system event logs from Windows systems.2
  • Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics.3