Indicator Removal on Host

From attackics
Jump to navigation Jump to search
Indicator Removal on Host
Technique
ID T0872
Tactic Evasion
Data Sources File monitoring, Process monitoring, Process command-line parameters, API monitoring, Windows event logs
Asset Human-Machine Interface, Safety Instrumented System/Protection Relay

Description

Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.


Procedure Examples

  • KillDisk deletes application, security, setup, and system event logs from Windows systems.1
  • Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics.2

Mitigations