Indicator Removal [T1070]
Name: Indicator Removal
ID: T1070
Tactics: TA0005
Indicator Removal is a technique recognized within the MITRE ATT&CK framework, categorized under Defense Evasion (T1070). Attackers utilize this technique to evade detection by removing or altering indicators of their malicious activities. Such indicators include logs, files, registry keys, or any other artifacts that could reveal unauthorized access or malicious actions. By carefully removing these indicators, adversaries attempt to maintain persistence, avoid detection, and ensure continued access to compromised systems.
Indicator Removal involves systematically deleting or altering artifacts that signify malicious activity. Attackers employ various methods and mechanisms to achieve this:
Clearing Windows Event Logs:
Attackers commonly use built-in Windows utilities such as wevtutil, powershell, or eventvwr.msc to clear or manipulate event logs.
Commands like wevtutil cl Application or Clear-EventLog in PowerShell are frequently utilized.
Manipulation of Linux Logs:
On Linux-based systems, attackers typically modify or delete log files located in /var/log/.
Tools like shred, rm, or logrotate can be employed to obscure or remove log entries.
File Deletion and Overwriting:
Attackers often delete malicious files after execution or overwrite them to prevent forensic recovery.
Secure deletion tools (sdelete, shred) may be used to prevent recovery through forensic analysis.
Registry Key Manipulation:
Malicious actors may remove or alter registry keys that contain evidence of malware installation or persistence mechanisms.
Commands such as reg delete or PowerShell cmdlets are commonly leveraged.
Timestomping:
Adversaries can modify file timestamps to obscure the true timeline of their activities.
Tools such as timestomp or PowerShell scripts allow attackers to alter file creation, modification, or access timestamps.
Clearing Command History:
Attackers remove shell history (.bash_history, PowerShell history) to erase evidence of executed commands.
Commands like history -c, rm ~/.bash_history, or PowerShell history clearing techniques are employed.
Indicator Removal is typically employed by attackers across multiple stages of the cyber attack lifecycle, including:
Initial Compromise:
Immediately after gaining initial access, attackers may remove indicators to avoid early detection before establishing a foothold.
Persistence and Privilege Escalation:
Adversaries remove indicators related to privilege escalation methods and persistence mechanisms to maintain long-term access.
Defense Evasion:
This technique is primarily categorized under defense evasion; attackers continuously remove or alter indicators throughout the attack lifecycle to evade detection and prevent forensic investigations.
Exfiltration and Post-Exfiltration:
After data exfiltration, attackers often erase logs and artifacts related to data transfer activities to hinder attribution and forensic analysis.
Covering Tracks (Final Stage):
Before exiting compromised systems, attackers thoroughly remove evidence to complicate incident response and forensic investigations.
Detection of Indicator Removal requires proactive monitoring, auditing, and advanced detection mechanisms:
Log Monitoring and SIEM Solutions:
Continuous monitoring and correlation of log events through Security Information and Event Management (SIEM) tools like Splunk, ELK Stack, or QRadar.
Alerting on abnormal log clearing events (e.g., unexpected event log deletions).
Endpoint Detection and Response (EDR) Tools:
EDR solutions such as CrowdStrike Falcon, Carbon Black, or Microsoft Defender for Endpoint detect suspicious file deletions, registry modifications, and log manipulation activities.
File Integrity Monitoring (FIM):
Tools like Tripwire or OSSEC monitor file changes, deletions, and timestamp modifications, alerting security teams to suspicious activities.
Audit Policies and Logging:
Implementing robust audit policies that detect attempts to clear or alter logs (e.g., Windows Security Auditing for Event Log Cleared events - Event ID 1102).
Behavioral Analytics and Machine Learning:
Machine learning-driven security analytics platforms detect anomalies in user or system behavior, such as unusual log deletions or file manipulations.
Indicators of Compromise (IoCs):
Specific IoCs include:
Unexpected clearing of Windows event logs (Event ID 1102).
Missing or modified logs in /var/log/ directories.
Unusual deletion of registry keys related to persistence mechanisms.
Detection of timestomping tools or altered timestamps.
Presence of command history files (.bash_history) being cleared or truncated.
Early detection of Indicator Removal is critical due to its potential impacts on systems and networks:
Impedes Incident Response and Forensics:
Removing indicators complicates forensic investigations and incident response processes, making attribution and remediation difficult.
Prolonged Undetected Persistence:
Attackers who successfully remove indicators can maintain undetected persistence, allowing prolonged unauthorized access and further malicious activities.
Data Loss and Exfiltration:
Undetected attackers can continue exfiltrating sensitive data without raising alarms, leading to severe data breaches and compliance violations.
Operational Disruption:
Persistent undetected threats may disrupt business operations, damage reputation, and incur financial losses.
Compliance and Regulatory Implications:
Organizations failing to detect Indicator Removal may face regulatory penalties, especially in sectors with stringent compliance requirements (e.g., healthcare, finance, government).
Reduced Visibility and Security Posture:
Continuous indicator removal reduces overall visibility into network and system activities, weakening the organization's security posture and resilience.
Real-world examples illustrating Indicator Removal in cyber attacks include:
APT29 (Cozy Bear) Attacks:
Utilized PowerShell scripts to clear Windows event logs and remove artifacts post-compromise.
Impacted governmental and diplomatic organizations, complicating forensic investigations.
FIN7 Cybercrime Group:
Regularly deleted log files and manipulated timestamps to evade detection during payment card data breaches.
Used tools like sdelete to securely erase malicious files after exfiltration.
NotPetya Malware Incident (2017):
Modified Master Boot Record (MBR) and logs to prevent recovery and forensic analysis.
Caused global operational disruptions and significant financial losses.
Operation Cleaver (Iranian Cyber Espionage):
Attackers systematically cleared logs and removed files after data exfiltration from critical infrastructure sectors.
Significantly hindered attribution and delayed remediation efforts.
Carbanak/FIN7 Banking Attacks:
Frequently removed or altered logs and security events on compromised banking systems.
Enabled prolonged unauthorized access, resulting in substantial financial theft.
DarkHotel Threat Actor:
Cleared browser history and logs after credential harvesting attacks on hotel Wi-Fi networks targeting high-profile individuals.
Successfully evaded detection and attribution for extended periods.
Clear Windows Event Logs [T1070.001]
Clearing Windows Event Logs (MITRE ATT&CK sub-technique T1070.001) is a common adversary tactic used to conceal malicious activity and hinder forensic investigations. Attackers often clear or manipulate event logs on compromised Windows systems to remove evidence of their intrusion, execution of malicious code, or lateral movement activities. This sub-technique is categorized under the broader technique "Indicator Removal on Host" (T1070) within the MITRE ATT&CK framework.
Windows operating systems maintain extensive event logs, capturing system, security, application, and operational events. Attackers frequently target these logs to erase traces of their activities. This sub-technique typically involves the following technical methods and mechanisms:
Built-in Windows Utilities:
Attackers commonly utilize built-in Windows command-line utilities such as wevtutil.exe or PowerShell cmdlets to clear event logs:
wevtutil cl <logname> (e.g., wevtutil cl Security)
PowerShell commands such as Clear-EventLog -LogName Security
These built-in tools require administrative privileges to run successfully.
Manual Event Log Deletion:
Attackers may directly delete or overwrite event log files located in %SystemRoot%\System32\winevt\Logs\.
Common log files targeted include Security.evtx, System.evtx, and Application.evtx.
Third-party Tools and Malware:
Specialized malware or hacking tools may incorporate event log clearing capabilities.
Examples include advanced persistent threat (APT) toolkits or popular offensive security frameworks like Metasploit and Cobalt Strike.
Selective Log Deletion or Tampering:
Rather than clearing entire logs, sophisticated attackers may selectively delete or overwrite specific log entries to avoid suspicion.
This selective approach can make detection more challenging and forensic analysis less effective.
Clearing Windows Event Logs is predominantly observed during the following attack scenarios and stages:
Post-Exploitation and Privilege Escalation:
After gaining administrative privileges, attackers clear logs to hide evidence of privilege escalation attempts and successful exploitations.
Lateral Movement and Persistence:
Attackers frequently clear logs after lateral movement activities (such as remote logins, remote code execution, or credential theft) to evade detection during incident response investigations.
Data Exfiltration:
Logs may be cleared to conceal evidence of data access, transfer, or exfiltration activities.
Cleanup and Anti-Forensics:
As part of the final stages of an attack, adversaries commonly erase logs to complicate forensic analysis, incident response, and attribution efforts.
Malware Installation and Execution:
Clearing logs after malware installation or execution prevents defenders from identifying suspicious processes, file creations, or unauthorized activities.
Detection of event log clearing activities involves multiple monitoring strategies, tools, and indicators of compromise (IoCs):
Event Log Monitoring:
Monitor Windows event IDs associated specifically with log clearing:
Event ID 1102 (Security log cleared)
Event ID 104 (System log cleared)
Configure alerting on these event IDs to detect suspicious clearing activities promptly.
Endpoint Detection and Response (EDR) Tools:
EDR solutions can detect suspicious command-line activities or process executions indicative of log clearing (wevtutil.exe, Clear-EventLog cmdlets).
Behavioral analysis can flag unusual or anomalous use of administrative tools.
Centralized Log Management and SIEM:
Implement centralized logging solutions and Security Information and Event Management (SIEM) systems to detect log clearing events through correlation rules and real-time alerts.
SIEM correlation rules can detect sudden disappearance of logs or abnormal log activity patterns.
File Integrity Monitoring (FIM):
FIM tools (e.g., OSSEC, Tripwire) can detect unauthorized changes, deletions, or modifications to log files (.evtx files).
Indicators of Compromise (IoCs):
Presence of the following events or artifacts can indicate log clearing:
Sudden gaps or missing timeframes in event logs.
Presence of wevtutil.exe or PowerShell commands in process execution logs.
Suspicious deletions or modifications of log files in %SystemRoot%\System32\winevt\Logs\.
Early detection of Windows Event Log clearing activities is critical due to the following potential impacts and considerations:
Loss of Critical Evidence:
Event logs provide essential forensic evidence for incident response and investigation. Clearing logs severely hampers the ability to reconstruct attacker actions, timelines, and entry points.
Delayed Incident Response:
Without logs, incident responders may struggle to identify and contain threats promptly, allowing attackers extended dwell time within compromised networks.
Increased Risk of Persistent Compromise:
Attackers clearing logs may have established persistence mechanisms that remain undetected, increasing the likelihood of long-term compromise and further malicious activities.
Compliance and Regulatory Implications:
Organizations subject to regulatory compliance (e.g., PCI DSS, HIPAA, GDPR) may face penalties if attackers clear logs, preventing required audit trails and reporting.
Reduced Attribution Capability:
Loss of log data significantly reduces the chance of attributing attacks to specific threat actors, complicating threat intelligence and future defense strategies.
Real-world examples and attack scenarios involving the clearing of Windows Event Logs include:
APT29 (Cozy Bear):
Known to clear event logs using commands such as wevtutil cl Security to erase evidence of credential theft, lateral movement, and persistence activities during espionage campaigns.
NotPetya Ransomware (2017):
NotPetya malware cleared event logs as part of its destructive payload, severely complicating forensic analysis and remediation efforts for impacted organizations globally.
FIN7 Cybercrime Group:
FIN7 attackers have been documented using PowerShell and built-in Windows utilities to clear event logs after deploying malware and stealing payment card information from compromised point-of-sale systems.
Metasploit Framework Usage:
Attackers leveraging Metasploit modules often incorporate commands to clear event logs as part of automated post-exploitation procedures, reducing the likelihood of detection during penetration tests or malicious intrusions.
Emotet Malware:
Emotet infections have been observed clearing event logs after initial infection and lateral movement to evade detection and maintain persistence within enterprise environments.
In each of these scenarios, attackers aimed to eliminate evidence of their intrusion, complicating detection, response, and forensic investigations, underscoring the importance of robust monitoring and detection strategies.
Clear Command History [T1070.003]
Clear Command History (T1070.003) is a sub-technique of the MITRE ATT&CK framework under the Defense Evasion tactic, specifically categorized within the Indicator Removal on Host technique (T1070). Attackers leveraging this sub-technique attempt to erase or modify shell and command-line history data to conceal their actions, evade detection, and hinder forensic investigations. Clearing command history helps adversaries remove evidence of executed commands, thus complicating incident response and attribution efforts.
Attackers typically perform command history clearing through various methods depending on the operating system and shell environment. Common methods include:
Unix/Linux Systems:
Editing or deleting shell history files (e.g., .bash_history, .zsh_history, .sh_history) located in user home directories.
Executing commands that erase history directly, such as:
Setting environment variables to prevent history logging:
Modifying shell configurations (.bashrc, .profile) to disable history logging permanently.
Windows Systems:
Deleting or modifying command history stored in registry keys or files.
Clearing PowerShell history through commands:
Removing command prompt (cmd.exe) history through registry entries or by terminating command-line sessions.
Attackers may automate these actions via scripts, batch files, or embedded commands within malware payloads. Additionally, advanced threat actors may selectively edit history files, removing only incriminating commands to avoid suspicion.
Attackers commonly utilize Clear Command History (T1070.003) during multiple phases of an attack lifecycle:
Initial Access and Privilege Escalation:
Immediately after gaining initial foothold or elevated privileges to remove any evidence of reconnaissance or exploitation commands.
Persistence and Lateral Movement:
After establishing persistence mechanisms or moving laterally within a network to hide traces of commands used for spreading malware or creating backdoors.
Defense Evasion and Anti-Forensics:
Continuously used throughout the attack lifecycle to evade detection by security analysts and automated detection tools.
During cleanup phases to remove evidence of attacker activities before leaving the compromised environment.
Exfiltration and Impact:
After data exfiltration or destructive actions to eliminate evidence of commands used to transfer or delete sensitive information.
Detection of Clear Command History activities typically involves monitoring and analyzing system logs, audit trails, and user behavior. Common detection methods include:
File Integrity Monitoring (FIM):
Monitoring modifications or deletions of shell history files (.bash_history, .zsh_history) and PowerShell history files.
Alerting on suspicious file deletions or truncations.
Audit Logging and SIEM Tools:
Collecting and analyzing audit logs for suspicious commands such as history -c, Clear-History, or deletion commands targeting history files.
Correlating sudden absence of command history entries or unusual gaps in recorded user activity.
Endpoint Detection and Response (EDR) Solutions:
Monitoring processes and commands executed on endpoints.
Identifying unusual commands and scripts designed to remove or disable command history logging.
Behavioral Analysis and Anomaly Detection:
Establishing baselines of normal behavior for users and systems, then detecting deviations such as sudden history file modifications or deletions.
Alerting on environment variable changes that disable history logging (HISTFILE=/dev/null).
Specific Indicators of Compromise (IoCs) include:
Missing or empty shell history files.
Presence of symbolic links redirecting history files to /dev/null.
Registry modifications or deletions related to command history on Windows systems.
Detection of scripts or commands explicitly designed to disable or clear command history.
Early detection of Clear Command History activities is critical because:
Incident Response and Forensics:
Command histories provide valuable forensic evidence, facilitating investigations into intrusion activities, timelines, and attacker methodologies.
Loss of this data significantly complicates forensic analysis and incident response efforts.
Attack Attribution and Threat Intelligence:
Command history information helps security teams attribute attacks to specific threat actors, malware families, or attack campaigns.
Deletion of command history hinders attribution, enabling attackers to maintain anonymity and evade accountability.
Detection of Ongoing Intrusions:
Identifying attempts to clear command history can indicate an active intrusion or ongoing malicious activity.
Early detection allows rapid containment and remediation, minimizing potential damage.
Preventing Further Compromise:
Attackers who successfully clear command history may continue operating undetected, escalating privileges, moving laterally, or exfiltrating sensitive data.
Detecting this technique promptly can prevent further exploitation and protect critical assets.
Real-world examples demonstrating the use of Clear Command History (T1070.003) include:
APT28 (Fancy Bear):
Known to clear command history after initial compromise to evade detection. Attackers deleted or truncated .bash_history files and used commands such as history -c.
Turla Group:
Routinely executed commands to clear shell histories and redirected history logging to /dev/null to ensure no commands were recorded during their espionage campaigns.
Operation Cloud Hopper (APT10):
Attackers cleared PowerShell history logs using commands like Clear-History and removed command history files to conceal lateral movement and data exfiltration activities.
Carbanak Group:
Utilized scripts and manual commands to clear command history after conducting financial theft operations, complicating forensic investigations by law enforcement.
Tools and commands frequently used by adversaries include:
Unix/Linux:
history -c
rm ~/.bash_history
ln -sf /dev/null ~/.bash_history
Custom shell scripts or aliases designed to automate history clearing.
Windows:
Clear-History (PowerShell)
Removing or editing registry keys storing command history.
Batch scripts or PowerShell scripts designed specifically to erase history files and logs.
Impacts of these real-world incidents include:
Extended attacker dwell times due to delayed detection.
Reduced forensic evidence availability, complicating remediation and attribution.
Increased operational costs and complexity for incident response teams.
Significant data breaches, financial losses, and reputational damage to affected organizations.
Clear Network Connection History and Logs [T1070.007]
Name: Clear Network Connection History and Configurations
ID: T1070.007
Tactics: TA0005
Technique: T1070
The MITRE ATT&CK sub-technique T1070.007, "Clear Network Connection History and Logs," falls under the broader technique of Indicator Removal on Host (T1070). Adversaries utilize this sub-technique to erase or manipulate logs and records related to network connections, thereby obscuring their activities and hindering forensic investigations and incident response efforts. By clearing or modifying network logs, attackers aim to remove evidence of their presence, impede detection, and avoid attribution.
Adversaries typically execute this sub-technique by directly accessing and modifying log files or leveraging built-in system utilities and commands to delete or overwrite network connection history. The primary goal is to remove traces of unauthorized access, lateral movement, or data exfiltration activities.
Technical execution methods include:
Manual Log Deletion or Modification:
Attackers manually delete or modify log files stored on compromised hosts, network devices, or centralized logging servers.
Commonly targeted logs include firewall logs, VPN connection logs, network device access logs, and operating system event logs.
Using System Commands and Utilities:
Windows:
wevtutil: Used to clear Windows Event Logs, including network-related events.
Deletion of logs in %SystemRoot%\System32\winevt\Logs.
Linux/Unix:
Directly editing or removing log files located in /var/log/ (e.g., /var/log/auth.log, /var/log/syslog, /var/log/messages).
Commands such as:
Overwriting logs with empty content:
Automated Scripts and Malware:
Adversaries may deploy automated scripts or custom malware to systematically clear logs after specific actions or at regular intervals.
Such tools may be embedded within persistent malware implants or remote access trojans (RATs).
Tampering Network Devices and Appliances:
Attackers may access network devices (routers, firewalls, VPN gateways) to erase or alter logging configurations and historical connection logs.
This includes direct manipulation of device configuration or log storage systems through administrative interfaces or command-line interfaces.
This sub-technique is commonly employed in multiple stages of an attack lifecycle, particularly during and after intrusion activities to evade detection and forensic analysis:
Initial Access and Establishment:
Immediately after gaining unauthorized access, attackers may clear initial connection logs to conceal their entry point.
Lateral Movement:
After moving laterally between internal hosts or network segments, adversaries remove logs to erase evidence of compromised accounts, IP addresses, or exploited vulnerabilities.
Data Exfiltration:
Following data theft, attackers clear logs to hide network connections to external command-and-control (C2) servers or data exfiltration endpoints.
Persistence and Long-term Access:
Attackers periodically remove logs to maintain stealthy persistence within the compromised environment, making detection challenging over extended periods.
Incident Response Avoidance:
If adversaries suspect detection or active incident response activities, they may proactively clear logs to disrupt forensic investigations and obscure their activities.
Detection of log clearing or modification activities involves monitoring, analyzing, and alerting on unusual behaviors or anomalies related to log files and logging services. Effective detection methods include:
File Integrity Monitoring (FIM):
Implementing FIM solutions to detect unauthorized changes or deletions within critical log files or directories (/var/log/, Windows Event Logs directories).
Centralized Log Management and SIEM:
Aggregating logs into centralized Security Information and Event Management (SIEM) systems for real-time monitoring and alerting on anomalies such as sudden log file size reduction or log deletion events.
Audit Logging and Event Monitoring:
Enabling audit logging of administrative commands (e.g., rm, wevtutil, history -c) and monitoring event IDs related to log clearing actions:
Windows Event ID 1102 ("Audit Log Cleared").
Linux auditd rules to track deletion or modification of log files (/var/log/*).
Behavioral Analytics and Anomaly Detection:
Leveraging behavioral analytics to detect abnormal user or service account activities, such as executing log deletion commands, accessing log files, or disabling logging mechanisms.
Endpoint Detection and Response (EDR) Tools:
Using EDR solutions to detect suspicious processes or scripts interacting with log files or executing commands typically associated with log clearing.
Indicators of Compromise (IoCs) include:
Sudden disappearance or truncation of log files.
Gaps or missing timeframes within logs.
Unexpected administrative commands executed (e.g., log deletion commands).
Alerts generated by FIM or SIEM systems indicating unauthorized log file modifications.
Disabled or altered logging configurations on network devices or hosts.
Early detection of this sub-technique is critical due to its direct impact on incident response, forensic analysis, and organizational security posture. Specifically, the importance arises from:
Loss of Critical Forensic Evidence:
Clearing logs eliminates crucial evidence required for incident investigation, attribution, and determining the scope of compromise.
Delayed Detection and Response:
Successful log clearing extends dwell time, allowing attackers to persist within the environment unnoticed, increasing potential damage.
Reduced Visibility into Network Activities:
Without accurate logs, organizations lose visibility into network connections, lateral movements, and data exfiltration attempts, severely hindering security monitoring and threat hunting efforts.
Increased Risk of Future Attacks:
Attackers who successfully clear logs and remain undetected can exploit the compromised environment repeatedly, escalating privileges, stealing sensitive data, or deploying ransomware.
Compliance and Regulatory Issues:
Loss of logs and records may lead to non-compliance with regulatory requirements, resulting in legal and financial repercussions.
Real-world examples of adversaries employing this sub-technique include:
APT28 (Fancy Bear):
Known to delete logs and event records after intrusion activities to obscure their presence and complicate forensic analysis.
Utilized commands such as wevtutil cl on compromised Windows systems to clear event logs.
APT29 (Cozy Bear):
Observed clearing Bash history files (~/.bash_history) and selectively deleting system logs (/var/log/messages, /var/log/auth.log) on compromised Linux hosts.
FIN7 Cybercrime Group:
Utilized scripts and malware payloads designed to clear event logs and erase evidence of lateral movement and data exfiltration activities from compromised point-of-sale (POS) systems.
DarkSide Ransomware Operators:
After exfiltrating sensitive data and deploying ransomware payloads, attackers cleared Windows event logs and other network connection history to complicate incident response and forensic investigations.
Operation Cleaver (Iranian Threat Actor):
Attackers removed logs and disabled logging mechanisms on compromised network devices and servers to conceal their presence and evade detection.
These examples illustrate the significant role that log clearing plays in sophisticated cyber-attacks, highlighting the necessity of robust detection and prevention mechanisms.
File Deletion [T1070.004]
File Deletion (T1070.004) is a sub-technique within the MITRE ATT&CK framework under the broader category of Indicator Removal on Host (T1070). Attackers frequently utilize this technique to delete files or logs from compromised systems, aiming to remove evidence of their presence and actions. By eliminating artifacts such as malware binaries, scripts, logs, or configuration files, adversaries seek to evade detection, forensic analysis, and attribution.
File Deletion involves removing files from compromised systems through various methods and mechanisms. Attackers typically employ built-in system utilities, custom scripts, or malware to execute file deletions. Common execution methods and mechanisms include:
System Commands and Utilities:
Windows-based:
del or erase commands via Command Prompt (cmd.exe)
PowerShell commands such as Remove-Item
Windows API calls (DeleteFile, RemoveDirectory)
Batch scripts (.bat) or PowerShell scripts (.ps1) designed for automated cleanup
Linux/Unix-based:
rm, unlink commands via shell scripts or terminal
Commands executed through cron jobs or scheduled tasks for automated deletion
Malware Capabilities:
Malware or implants with built-in functionality to delete files after execution or upon receiving external commands from command-and-control (C2) servers
Ransomware variants deleting backup files or shadow copies to hinder recovery attempts
Automated Cleanup Scripts:
Custom-made scripts executed post-compromise to systematically remove logs, temporary files, malware binaries, or configuration files created during the attack lifecycle
Adversaries often target specific types of files for deletion, such as:
Event logs (Windows Event Logs, syslog, application logs)
Temporary files and scripts used during exploitation
Malware binaries after successful persistence or lateral movement
Configuration files revealing attacker infrastructure or commands executed
This sub-technique commonly appears across multiple stages of the cyber kill chain, primarily during the following scenarios and stages:
Defense Evasion:
Attackers delete logs and artifacts to evade detection by security monitoring tools or forensic analysts.
Removal of malware binaries after achieving persistence to minimize detection risk.
Post-Exploitation Cleanup:
Adversaries remove temporary files, scripts, or tools used during initial access, privilege escalation, or lateral movement stages.
Deletion of command history or shell history files to obscure executed commands.
Impact Stage (Ransomware):
Ransomware operators delete backup files, shadow copies, or snapshots to prevent victims from restoring data without paying ransom.
Incident Response Interference:
During active investigations, attackers may delete forensic artifacts or logs to impede incident response and forensic analysis efforts.
Detection of File Deletion activity involves monitoring system events, file system changes, and log analysis. Detection methods include:
File System Monitoring:
Implementing file integrity monitoring (FIM) solutions such as OSSEC, Tripwire, or built-in Windows File Integrity Monitoring.
Monitoring file deletion events through endpoint detection and response (EDR) tools or host intrusion detection systems (HIDS).
System and Event Log Monitoring:
Windows:
Monitoring Windows Security Event Logs for Event IDs related to file deletion (e.g., Event ID 4660 - Object Deleted).
Monitoring PowerShell logs (Event IDs 4103, 4104) for suspicious file removal activity.
Linux/Unix:
Monitoring audit logs (auditd) for deletion events (unlink, rmdir syscalls).
Reviewing shell command histories and logs for suspicious use of rm commands.
Endpoint Detection and Response (EDR) Tools:
Leveraging EDR platforms like CrowdStrike Falcon, Carbon Black, Microsoft Defender ATP, or SentinelOne to detect suspicious file deletion activity.
Correlation of behavioral indicators and process execution patterns indicative of attacker activity.
Indicators of Compromise (IoCs):
Sudden deletion of critical logs or security-related files.
Unusual execution of deletion commands (del, erase, rm) from unexpected processes or users.
Detection of automated scripts or scheduled tasks designed explicitly for file deletion.
Early detection of File Deletion is crucial due to its potential impacts on incident response, forensic analysis, and organizational security posture. Importance includes:
Preservation of Forensic Evidence:
Preventing attackers from successfully removing critical forensic artifacts that help reconstruct attack timelines, identify attacker techniques, and facilitate attribution.
Incident Response Efficiency:
Early detection allows incident responders to quickly isolate compromised systems, secure forensic evidence, and minimize damage.
Reducing Attacker Dwell Time:
Identifying file deletion attempts may uncover ongoing attacker activity, enabling defenders to disrupt further attacker objectives and limit lateral movement.
Minimizing Operational Impact:
Preventing deletion of critical system files, logs, or backups reduces operational disruptions, data loss, and recovery costs.
Compliance and Audit Requirements:
Ensuring comprehensive logging and file integrity monitoring aligns with regulatory compliance standards and audit requirements.
Real-world examples involving File Deletion include:
NotPetya Ransomware (2017):
Attack Scenario:
Malware executed commands to delete Windows Shadow Copies using vssadmin delete shadows /all /quiet.
Tools used:
Built-in Windows utilities (vssadmin.exe)
Impact:
Victims were unable to recover encrypted data from local backups, leading to extensive data loss and operational disruption.
APT29 (Cozy Bear) Operations:
Attack Scenario:
After successful intrusion, APT29 operators routinely deleted malware binaries and scripts used during initial compromise and lateral movement phases.
Tools used:
Custom scripts, PowerShell commands (Remove-Item), and native Windows commands (del).
Impact:
Difficulty in forensic analysis and attribution due to limited remaining artifacts.
FIN7 Cybercrime Group:
Attack Scenario:
FIN7 attackers used scripts to delete logs, temporary files, and malware payloads after successful financial data exfiltration.
Tools used:
Batch scripts, PowerShell scripts, built-in Windows utilities.
Impact:
Reduced forensic visibility, complicating incident response and delaying detection.
Shamoon Malware (2012, 2016, 2018):
Attack Scenario:
Shamoon malware deleted files and overwrote systems to disrupt operations and render systems unusable.
Tools used:
Malware with embedded deletion and wiping capabilities.
Impact:
Extensive operational disruption, data loss, and significant recovery efforts required.
These examples highlight the prevalence and critical importance of detecting File Deletion activity in cyber incidents.
Timestomp [T1070.006]
Timestomp (T1070.006) is a sub-technique within the MITRE ATT&CK framework categorized under "Indicator Removal on Host" (T1070). It involves the manipulation or modification of file timestamps to obscure attacker activities, making forensic analysis and incident response more challenging. Attackers typically use timestomping to conceal file creation, modification, or access dates, hindering accurate timeline reconstruction and detection.
Timestomping involves altering file timestamps—such as creation, modification, access, and metadata change times—to obscure evidence of malicious activity. Attackers utilize various methods and tools to execute this technique, including:
Native OS Utilities:
Windows:
powershell: Attackers can leverage PowerShell commands or scripts to modify timestamps.
copy and move commands: File operations may alter timestamps indirectly.
Linux/Unix:
touch: Commonly used to alter access and modification timestamps.
stat and date: Used to verify and manipulate file timestamps.
Third-Party or Custom Tools:
Metasploit Framework's timestomp module: Specifically designed to alter timestamps on Windows systems.
SetMACE: A standalone utility capable of modifying file timestamps on NTFS file systems.
Cobalt Strike's built-in timestomp functionality: Integrated into attacker workflow to mask persistence and lateral movement.
Underlying Mechanisms:
Windows systems store timestamps in the NTFS Master File Table (MFT), making them susceptible to modification through direct MFT manipulation or system API calls.
Unix-based systems store timestamps in the inode structure, which can be modified using system calls or utilities that interact directly with file metadata.
Procedures and Execution:
Attackers typically execute timestomping after creating or modifying malicious files, malware payloads, or scripts.
They may copy timestamps from legitimate system files to malicious files, blending malicious artifacts with normal system activity.
Automated scripts or post-exploitation frameworks frequently integrate timestomping to streamline attacker workflows and evade detection.
Attackers commonly employ timestomping across multiple stages of an attack lifecycle, including:
Initial Access and Execution:
Immediately after dropping malicious payloads or scripts onto the compromised host, attackers may alter timestamps to blend newly introduced files with legitimate system files.
Persistence and Privilege Escalation:
Files used for maintaining persistent access, such as scheduled tasks, startup scripts, or registry entries, may have timestamps modified to hide their recent creation or modification.
Defense Evasion:
Timestomping is primarily a defense evasion technique, used to obstruct forensic investigations by disrupting the chronological reconstruction of attacker actions.
Exfiltration and Cleanup:
After data exfiltration or before leaving the compromised host, attackers may alter timestamps of files and logs to conceal their activity and complicate forensic investigations.
Detection of timestomping involves multiple methods, tools, and indicators of compromise (IoCs):
Forensic Analysis Tools:
Tools such as EnCase, FTK, Autopsy, and Sleuth Kit can detect inconsistencies in file timestamps or metadata anomalies.
Timeline analysis tools (e.g., Plaso, log2timeline) help identify suspicious timestamp anomalies and events out of chronological order.
Endpoint Detection and Response (EDR) Solutions:
EDR tools like CrowdStrike Falcon, Carbon Black, Microsoft Defender for Endpoint, and SentinelOne can detect suspicious API calls or file operations indicative of timestomping.
Behavioral detection capabilities in EDR platforms can flag unusual timestamp modifications or patterns.
File System Analysis:
Comparing timestamps across multiple sources (e.g., NTFS MFT records, Windows Event Logs, Prefetch files, registry hives) can uncover discrepancies indicating timestomping.
Analysis of NTFS journaling and USN (Update Sequence Number) journal entries can reveal suspicious timestamp manipulations.
Indicators of Compromise (IoCs):
Files with timestamps earlier than OS installation date or significantly inconsistent timestamps.
Files with identical timestamps to known legitimate system files.
Log entries indicating usage of known timestomp tools or suspicious commands (e.g., PowerShell scripts invoking timestamp modification commands).
Early detection of timestomping is crucial due to its significant implications on forensic investigations, incident response, and overall security posture:
Forensic Challenges:
Timestomping complicates the accurate reconstruction of incident timelines, making it difficult to determine the scope, duration, and impact of an attack.
Without reliable timestamps, incident responders may overlook critical evidence or misinterpret attacker actions.
Incident Response Delays:
Obfuscation of timestamps can lead to delays in identifying compromised systems, allowing attackers extended time to maintain persistence, escalate privileges, or exfiltrate sensitive data.
Increased Attacker Dwell Time:
Successful timestomping contributes to increased attacker dwell time, providing attackers more opportunities to conduct lateral movement, data exfiltration, or additional malicious activities.
Compliance and Legal Implications:
Organizations subject to regulatory compliance or legal investigations rely heavily on accurate forensic evidence. Timestomping can undermine evidence integrity, complicating compliance audits or legal proceedings.
Proactive Defense:
Detecting timestomping can serve as an early indicator of compromise, allowing security teams to proactively investigate and remediate before significant damage occurs.
Real-world examples of timestomping demonstrate its use across various attack scenarios, tools employed, and impacts:
APT29 (Cozy Bear):
Utilized timestomping techniques to modify timestamps on malicious files, making forensic analysis difficult and hindering incident response efforts.
Leveraged custom scripts and built-in Windows commands to obscure timestamps and evade detection during espionage campaigns.
FIN7 Threat Group:
Frequently employed timestomping to mask the creation and modification times of malware payloads used in financial sector attacks.
Used publicly available tools such as Metasploit's timestomp module and custom PowerShell scripts to alter timestamps.
Operation Aurora (Google Attack):
Attackers modified timestamps of malware files to blend with legitimate system files, complicating forensic analysis and delaying detection.
Utilized built-in Windows utilities and custom malware to manipulate file timestamps during the intrusion.
Carbanak Group:
Employed timestomping to conceal malicious scripts and executables on compromised banking systems, extending dwell time and facilitating large-scale financial theft.
Used both custom-developed timestomping utilities and publicly available tools to evade detection and forensic analysis.
Ransomware Operations:
Ransomware operators frequently leverage timestomping to hide malicious payloads and scripts, delaying detection and response efforts.
Observed in ransomware families such as Ryuk, Conti, and LockBit, where attackers extensively modified timestamps to evade endpoint detection and forensic analysis.
These examples illustrate the widespread use of timestomping by threat actors to evade detection, complicate forensic analysis, and extend operational effectiveness during cyberattacks.