Skip to content

T1070 Indicator Removal

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

Item Value
ID T1070
Sub-techniques T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009
Tactics TA0005
Platforms Containers, Google Workspace, Linux, Network, Office 365, Windows, macOS
Version 2.1
Created 31 May 2017
Last Modified 11 April 2023

Procedure Examples

ID Name Description
S0239 Bankshot Bankshot deletes all artifacts associated with the malware from the infected machine.15
S0089 BlackEnergy BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.14
S0527 CSPY Downloader CSPY Downloader has the ability to remove values it writes to the Registry.1
S0673 DarkWatchman DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history.11
S0695 Donut Donut can erase file references to payloads in-memory after being reflectively loaded and executed.2
S0568 EVILNUM EVILNUM has a function called “DeleteLeftovers” to remove certain artifacts of the attack.16
S0696 Flagpro Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.21
S1044 FunnyDream FunnyDream has the ability to clean traces of malware deployment.19
S0697 HermeticWiper HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.98
G0032 Lazarus Group Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked.22
S0449 Maze Maze has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.7
S0455 Metamorfo Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.6
S0691 Neoichor Neoichor can clear the browser history on a compromised host by changing the ClearBrowsingHistoryOnExit value to 1 in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy Registry key.5
S0229 Orz Orz can overwrite Registry settings to reduce its visibility on the victim.10
S0448 Rising Sun Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.12
S0461 SDBbot SDBbot has the ability to clean up and remove data structures from a compromised host.20
S0596 ShadowPad ShadowPad has deleted arbitrary Registry values.17
S0589 Sibot Sibot will delete an associated registry key if a certain server response is received.18
S0692 SILENTTRINITY SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.3
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.23
S0603 Stuxnet Stuxnet can delete OLE Automation and SQL stored procedures used to store malicious payloads.13
S0559 SUNBURST SUNBURST removed HTTP proxy registry values to clean up traces of execution.4

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
M1029 Remote Data Storage Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
M1022 Restrict File and Directory Permissions Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Deletion
DS0018 Firewall Firewall Rule Modification
DS0029 Network Traffic Network Traffic Content
DS0009 Process OS API Execution
DS0003 Scheduled Job Scheduled Job Modification
DS0002 User Account User Account Authentication
DS0024 Windows Registry Windows Registry Key Deletion

References

  1. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  2. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  3. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  4. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  5. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  6. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  7. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  8. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  9. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  10. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  11. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  12. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  13. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  14. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. 

  15. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  16. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. 

  17. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  18. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  19. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  20. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  21. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  22. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  23. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.