Skip to content

T0872 Indicator Removal on Host

Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.

Item Value
ID T0872
Sub-techniques
Tactics TA0103
Platforms None
Version 1.0
Created 21 May 2020
Last Modified 25 April 2025

Procedure Examples

ID Name Description
S0607 KillDisk KillDisk deletes application, security, setup, and system event logs from Windows systems. 4
S1009 Triton Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. 3
C0030 Triton Safety Instrumented System Attack In the Triton Safety Instrumented System Attack, TEMP.Veles would programmatically return the controller to a normal running state if the Triton malware failed. If the controller could not recover in a defined time window, TEMP.Veles programmatically overwrote their malicious program with invalid data.5

Mitigations

ID Mitigation Description
M0922 Restrict File and Directory Permissions Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. 1 2

References

  1. Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28  

  2. National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17  

  3. Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22  

  4. Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29  

  5. Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.