Skip to content

T0872 Indicator Removal on Host

Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.

Item Value
ID T0872
Tactics TA0103
Platforms Human-Machine Interface, Safety Instrumented System/Protection Relay
Version 1.0
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
S0607 KillDisk KillDisk deletes application, security, setup, and system event logs from Windows systems. 4
S1009 Triton Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. 3


ID Mitigation Description
M0922 Restrict File and Directory Permissions Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. 1 2


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Deletion
DS0009 Process OS API Execution
DS0024 Windows Registry Windows Registry Key Deletion