Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Удаление признаков активности из системы

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

ID: T1070
Суб-техники:  .001 .002 .003 .004 .005 .006 .007 .008 .009 .010
Тактика(-и): Defense Evasion
Платформы: Containers, Linux, macOS, Network, Office Suite, Windows
Источники данных: Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Версия: 2.2
Дата создания: 31 May 2017
Последнее изменение: 15 Oct 2024

Примеры процедур

Название Описание
IPsec Helper

IPsec Helper can delete various registry keys related to its execution and use.(Citation: SentinelOne Agrius 2021)

Donut

Donut can erase file references to payloads in-memory after being reflectively loaded and executed.(Citation: Donut Github)

SDBbot

SDBbot has the ability to clean up and remove data structures from a compromised host.(Citation: Proofpoint TA505 October 2019)

Metamorfo

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.(Citation: FireEye Metamorfo Apr 2018)

BPFDoor

BPFDoor clears the file location `/proc//environ` removing all environment variables for the process.(Citation: Sandfly BPFDoor 2022)

ShadowPad

ShadowPad has deleted arbitrary Registry values.(Citation: Kaspersky ShadowPad Aug 2017)

BlackEnergy

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.(Citation: F-Secure BlackEnergy 2014)

MCMD

MCMD has the ability to remove set Registry Keys.(Citation: Secureworks MCMD July 2019)

EVILNUM

EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack.(Citation: Prevailion EvilNum May 2020)

SILENTTRINITY

SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.(Citation: GitHub SILENTTRINITY Modules July 2019)

During Cutting Edge, threat actors cleared logs to remove traces of their activity and restored compromised systems to a clean state to bypass manufacturer mitigations for CVE-2023-46805 and CVE-2024-21887.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)

MultiLayer Wiper

MultiLayer Wiper uses a batch script to clear file system cache memory via the ProcessIdleTasks export in advapi32.dll as an anti-analysis and anti-forensics technique.(Citation: Unit42 Agrius 2023)

S-Type

S-Type has deleted accounts it has created.(Citation: Cylance Dust Storm)

Orz

Orz can overwrite Registry settings to reduce its visibility on the victim.(Citation: Proofpoint Leviathan Oct 2017)

Goopy

Goopy has the ability to delete emails used for C2 once the content has been copied.(Citation: Cybereason Cobalt Kitty 2017)

DUSTTRAP

DUSTTRAP restores the `.text` section of compromised DLLs after malicious code is loaded into memory and before the file is closed.(Citation: Google Cloud APT41 2024)

HermeticWiper

HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)

APT29

APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.(Citation: FireEye SUNBURST Backdoor December 2020)

Metamorfo

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.(Citation: FireEye Metamorfo Apr 2018)

CSPY Downloader

CSPY Downloader has the ability to remove values it writes to the Registry.(Citation: Cybereason Kimsuky November 2020)

ShadowPad

ShadowPad has deleted arbitrary Registry values.(Citation: Kaspersky ShadowPad Aug 2017)

Bazar

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.(Citation: NCC Group Team9 June 2020)

Stuxnet

Stuxnet can delete OLE Automation and SQL stored procedures used to store malicious payloads.(Citation: Nicolas Falliere, Liam O Murch