Skip to content

Latest commit

 

History

History
199 lines (102 loc) · 4.95 KB

T1070.md

File metadata and controls

199 lines (102 loc) · 4.95 KB

T1070 - Indicator Removal on Host

Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .

Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.

Clear Windows Event Logs

Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three system-defined sources of Events: System, Application, and Security.

Adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities.

The event logs can be cleared with the following utility commands:

  • wevtutil cl system
  • wevtutil cl application
  • wevtutil cl security

Logs may also be cleared through other mechanisms, such as PowerShell.

Atomic Tests


Atomic Test #1 - Clear Logs

Clear Windows Event Logs

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
log_name Windows Log Name, ex System String System

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

wevtutil cl #{log_name}


Atomic Test #2 - FSUtil

Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

fsutil usn deletejournal /D C:


Atomic Test #3 - rm -rf

Delete system and audit logs

Supported Platforms: macOS, Linux

Attack Commands: Run with sh!

rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*


Atomic Test #4 - Overwrite Linux Mail Spool

This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
username Username of mail spool String root

Attack Commands: Run with bash!

echo 0> /var/spool/mail/#{username}


Atomic Test #5 - Overwrite Linux Log

This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
log_path Path of specified log Path /var/log/secure

Attack Commands: Run with bash!

echo 0> #{log_path}


Atomic Test #6 - Delete System Logs Using PowerShell

Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
Stop-Process -Id $eventLogId -Force
Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx

Cleanup Commands:

Start-Service -Name EventLog


Atomic Test #7 - Delete System Logs Using Clear-EventLogId

Clear event logs using built-in PowerShell commands

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Clear-EventLog -logname Application