Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
40 lines (29 sloc) 1.45 KB

T1070 - Indicator Removal on Host

Description from ATT&CK

Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .

Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.

How to Detect

Simulating the attack

rm -rf /var/log/*

Data sources required to detect the attack

auditlogs (audit.rules)

bash_history logs

Splunk Queries to detect the attack

auditlogs(syscalls)

index=linux sourcetype=linux_audit syscall=263 | table host,auid,uid,euid,exe,key
index=linux sourcetype=linux_audit type=PATH name=*.log nametype=delete

Audit rules:

-a always,exit -F arch=b64 -F PATH=/var/log -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete_logs

bash_history

index=linux sourcetype="bash_history" rm * .log | table host, user_name, bash_command

Caution/Caveat

You can’t perform that action at this time.