# T1070 Indicator Removal on Host

-----------------------------------------------------------------------

## Technique Description

Adversaries may delete or modify artifacts generated on a host system to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

## Technique Detection

File system monitoring may be used to detect improper deletion or modification of indicator files.  Events not stored on the file system may require different detection mechanisms.

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Linux

  * macOS

  * Windows

  * Containers

  * Network

### Defenses Bypassed:

  * Log analysis

  * Host intrusion prevention systems

  * Anti-virus

### Data Sources:

  * **Network Traffic:** Network Traffic Content

  * **Process:** OS API Execution

  * **Windows Registry:** Windows Registry Key Deletion

  * **File:** File Modification

  * **Command:** Command Execution

  * **File:** File Metadata

  * **Process:** Process Creation

  * **File:** File Deletion

  * **Windows Registry:** Windows Registry Key Modification

  * **User Account:** User Account Authentication

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) removed evidence of email export requests using <code>Remove-MailboxExportRequest</code>.(Citation: Volexity SolarWinds) They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.(Citation: FireEye SUNBURST Backdoor December 2020)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has restored malicious [KernelCallbackTable](https://attack.mitre.org/techniques/T1574/013) code to its original state after the process execution flow has been hijacked.(Citation: Lazarus APT January 2022)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) removed evidence of email export requests using <code>Remove-MailboxExportRequest</code>.(Citation: Volexity SolarWinds) They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.(Citation: FireEye SUNBURST Backdoor December 2020)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1070)

  * [Capec](https://capec.mitre.org/data/definitions/93.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will delete or alter generated artifacts on a host system to evade system defenses.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### APT28
- has performed timestomping on victim files.
- has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.
- has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.

#### APT29 
- used SDelete to remove artifacts from victims.

## Detection Blindspots

- Information Here

## Analytical References

  * [Network Share Windows 10 (action1)](https://www.action1.com/kb/deletting-network-share-Windows-10.html)
  * [Windows Event 1102 (ultimatewindowssecurity)](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102)
  * [Clear Eventlog Powershell-5.1 (microsoft)](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/clear-eventlog?view=powershell-5.1)
  * [Eventlog Clear (microsoft)](https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear?redirectedfrom=MSDN&view=dotnet-plat-ext-3.1#System_Diagnostics_EventLog_Clear)
  * [Finfisher Exposed 2018 (microsoft)](https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/)
  * [wevtutil (microsoft)](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Network share connections may be common depending on how a network environment is used. Monitor command-line invocation of NET USE commands associated with establishing and removing remote shares over SMB
- SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity.
- While identifying the removal of Windows Logs may seem simplistic, consider that an adversary may have cleared logs several months or even years prior to hunt operations.
- Event 1102 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy. The Account Name and Domain Name fields identify the user who cleared the log. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
- The Clear-EventLog PowerShell command can contain further specificity of what logs to clear. While it is advisable to search for the generic command, it is likely some more analysis be used.

#### Analytic 1

  * **Information:** net usage

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.name : net.exe or net1.exe AND process.command_line : */DELETE*```

#### Analytic 2

  * **Information:** Event Logs Cleared

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:**
      - (Win2008, Win2012R2, Win2016 and Win10+, Win2019) 1102: The audit log was cleared
      - Win200/2003, Win XP) 517:The audit log was cleared

  * **Query:** ```event.code : 1102 or 517```

#### Analytic 3

  * **Information:** wevtutil usage

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```  process.name : wevtutil.exe AND process.command_line : *cl*```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

