T0872 Indicator Removal on Host
Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.
| Item | Value |
|---|---|
| ID | T0872 |
| Sub-techniques | |
| Tactics | TA0103 |
| Platforms | Human-Machine Interface, Safety Instrumented System/Protection Relay |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0607 | KillDisk | KillDisk deletes application, security, setup, and system event logs from Windows systems. 4 |
| S1009 | Triton | Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0922 | Restrict File and Directory Permissions | Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. 1 2 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Deletion |
| DS0009 | Process | OS API Execution |
| DS0024 | Windows Registry | Windows Registry Key Deletion |
References
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩
-
Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ↩
-
Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ↩