Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Удаление признаков активности из системы
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Удаление признаков активности...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Удаление признаков активности из системы

ID Name
.001 Очистка журналов событий Windows
.002 Очистка системных журналов Linux или Mac
.003 Очистка истории команд
.004 Удаление файлов
.005 Удаление подключений к общим сетевым ресурсам
.006 Изменение временных меток
.007 Очистка истории сетевых соединений и конфигураций
.008 Очистка почтового ящика
.009 Удаление индикаторов компрометации

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

ID: T1070
Суб-техники:  .001 .002 .003 .004 .005 .006 .007 .008 .009
Тактика(-и): Defense Evasion
Платформы: Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Источники данных: Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Версия: 2.0
Дата создания: 31 May 2017
Последнее изменение: 21 Oct 2022

Примеры процедур
Название Описание
Donut

Donut can erase file references to payloads in-memory after being reflectively loaded and executed.(Citation: Donut Github)
SDBbot

SDBbot has the ability to clean up and remove data structures from a compromised host.(Citation: Proofpoint TA505 October 2019)
Metamorfo

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.(Citation: FireEye Metamorfo Apr 2018)

ShadowPad

ShadowPad has deleted arbitrary Registry values.(Citation: Kaspersky ShadowPad Aug 2017)
BlackEnergy

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.(Citation: F-Secure BlackEnergy 2014)
MCMD

MCMD has the ability to remove set Registry Keys.(Citation: Secureworks MCMD July 2019)
EVILNUM

EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack.(Citation: Prevailion EvilNum May 2020)
SILENTTRINITY

SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.(Citation: GitHub SILENTTRINITY Modules July 2019)
S-Type

S-Type has deleted accounts it has created.(Citation: Cylance Dust Storm)
Orz

Orz can overwrite Registry settings to reduce its visibility on the victim.(Citation: Proofpoint Leviathan Oct 2017)
Goopy

Goopy has the ability to delete emails used for C2 once the content has been copied.(Citation: Cybereason Cobalt Kitty 2017)

HermeticWiper

HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)
APT29

APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.(Citation: FireEye SUNBURST Backdoor December 2020)
Metamorfo

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.(Citation: FireEye Metamorfo Apr 2018)
CSPY Downloader

CSPY Downloader has the ability to remove values it writes to the Registry.(Citation: Cybereason Kimsuky November 2020)
ShadowPad

ShadowPad has deleted arbitrary Registry values.(Citation: Kaspersky ShadowPad Aug 2017)
Bazar

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.(Citation: NCC Group Team9 June 2020)

Stuxnet

Stuxnet can delete OLE Automation and SQL stored procedures used to store malicious payloads.(Citation: Symantec W.32 Stuxnet Dossier)
Rising Sun

Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.(Citation: McAfee Sharpshooter December 2018)

RTM

RTM has the ability to remove Registry entries that it created during execution.(Citation: ESET RTM Feb 2017)
Sibot

Sibot will delete an associated registry key if a certain server response is received.(Citation: MSTIC NOBELIUM Mar 2021)
Pillowmint

Pillowmint can uninstall the malicious service from an infected machine.(Citation: Trustwave Pillowmint June 2020)
FunnyDream

FunnyDream has the ability to clean traces of malware deployment.(Citation: Bitdefender FunnyDream Campaign November 2020)
UNC2452

UNC2452 removed evidence of email export requests using Remove-MailboxExportRequest.(Citation: Volexity SolarWinds) They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.(Citation: FireEye SUNBURST Backdoor December 2020)
Lazarus Group

Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked.(Citation: Lazarus APT January 2022)
Maze

Maze has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.(Citation: McAfee Maze March 2020)

Sibot

Sibot will delete an associated registry key if a certain server response is received.(Citation: MSTIC NOBELIUM Mar 2021)
Misdat

Misdat is capable of deleting Registry keys used for persistence.(Citation: Cylance Dust Storm)
CSPY Downloader

CSPY Downloader has the ability to remove values it writes to the Registry.(Citation: Cybereason Kimsuky November 2020)
Bankshot

Bankshot deletes all artifacts associated with the malware from the infected machine.(Citation: US-CERT Bankshot Dec 2017)
Flagpro

Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.(Citation: NTT Security Flagpro new December 2021)
njRAT

njRAT is capable of deleting objects related to itself (registry keys, files, and firewall rules) on the victim.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)
DarkWatchman

DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history.(Citation: Prevailion DarkWatchman 2021)
SUNBURST

SUNBURST removed HTTP proxy registry values to clean up traces of execution.(Citation: Microsoft Deep Dive Solorigate January 2021)
Neoichor

Neoichor can clear the browser history on a compromised host by changing the `ClearBrowsingHistoryOnExit` value to 1 in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy` Registry key.(Citation: Microsoft NICKEL December 2021)

Контрмеры
Контрмера Описание
Encrypt Sensitive Information

Protect sensitive information with strong encryption.
Remote Data Storage

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Indicator Removal on Host Mitigation

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

Обнаружение

File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms.

Ссылки

  1. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  2. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  3. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  4. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  5. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  6. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  7. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  8. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  9. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  10. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  11. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  12. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  13. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  14. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  15. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  16. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  17. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  18. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  19. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  20. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  21. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  22. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  23. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  24. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  25. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  26. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  27. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  28. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  29. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  30. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  31. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  32. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  33. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.