Indicator Removal: Удаление индикаторов компрометации
Other sub-techniques of Indicator Removal (9)
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)
Примеры процедур |
|
Название | Описание |
---|---|
SUNBURST |
SUNBURST removed IFEO registry values to clean up traces of persistence.(Citation: Microsoft Deep Dive Solorigate January 2021) |
MCMD |
MCMD has the ability to remove set Registry Keys, including those used for persistence.(Citation: Secureworks MCMD July 2019) |
Bazar |
Bazar's loader can delete scheduled tasks created by a previous instance of the malware.(Citation: NCC Group Team9 June 2020) |
Pillowmint |
Pillowmint can uninstall the malicious service from an infected machine.(Citation: Trustwave Pillowmint June 2020) |
Misdat |
Misdat is capable of deleting Registry keys used for persistence.(Citation: Cylance Dust Storm) |
njRAT |
njRAT is capable of manipulating and deleting registry keys, including those used for persistence.(Citation: Trend Micro njRAT 2018) |
KOCTOPUS |
KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.(Citation: MalwareBytes LazyScripter Feb 2021) |
GrimAgent |
GrimAgent can delete previously created tasks on a compromised host.(Citation: Group IB GrimAgent July 2021) |
RTM |
RTM has the ability to remove Registry entries that it created for persistence.(Citation: ESET RTM Feb 2017) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
Remote Data Storage |
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information. |
Ссылки
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.