Indicator Removal on Host
|Indicator Removal on Host|
|Data Sources||File monitoring, Process monitoring, Process command-line parameters, API monitoring, Windows event logs|
|Asset||Human-Machine Interface, Safety Instrumented System/Protection Relay|
Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.
- Dragonfly 2.0 deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.1
- KillDisk deletes application, security, setup, and system event logs from Windows systems.2
- Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics.3
- Restrict File and Directory Permissions - Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system.45
- Cybersecurity & Infrastructure Security Agency. (2018, March 15). Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 11, 2019.
- Anton Cherepanov. (n.d.). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved October 29, 2019.
- Jos Wetzels. (2018, January 16). Analyzing the TRITON industrial malware. Retrieved October 22, 2019.