Skip to content

Indicator Removal on Host

What: Indicator Removal on Host

Indicator Removal on Host refers to a category of techniques used by attackers to manipulate or delete artifacts on a computer system that could be used to detect their presence or activities. This is part of the MITRE ATT&CK framework, specifically classified under the "Defense Evasion" tactic. The goal is to hinder the efforts of defenders, incident responders, and forensic investigators in identifying and understanding malicious activity.

How: Techniques and Methods

  1. Deletion of Logs: Attackers might clear event logs (e.g., Windows Event Logs using wevtutil or Clear-EventLog PowerShell cmdlet) or delete specific entries that record their activities.

  2. Modification of Timestamps: Tools like timestomp from the Metasploit framework allow modification of file timestamps (MAC times - Modified, Accessed, Created), making forensic analysis more challenging.

  3. Clearing Bash History: On Linux systems, attackers may clear or manipulate .bash_history to remove traces of commands they executed.

  4. Disabling Auditing Services: By modifying system configurations such as audit policies (auditpol.exe on Windows), attackers can prevent logging of future actions.

  5. Manipulation of Artifact Files: This includes altering or deleting files that might be indicators of compromise, such as malware files, dropped scripts, or modified binaries.

  6. Use of Fileless Techniques: Employing methods that operate in-memory (e.g., reflective DLL injection) reduces physical footprints on disk which minimizes chances for detection through traditional file scanning methods.

Where: Application in Systems

These techniques can be applied across various platforms:

  • Windows Systems: Involves interaction with Windows APIs, PowerShell commands, and system utilities like Event Viewer.

  • Linux/Unix Systems: Involves manipulation using shell commands, editing configuration files like syslog or auditd.

  • Network Devices and IoT: May involve altering logs or configurations directly accessible through administrative interfaces.

Why: Motivations Behind Usage

The primary motivation for using these techniques is to evade detection by:

  • Avoiding Forensic Analysis: By removing traces that could lead to detection and analysis, attackers prolong their presence within the environment undetected.

  • Preventing Incident Response: If security personnel cannot find evidence of an intrusion or understand its scope due to missing indicators, they cannot respond effectively.

  • Maintaining Access and Control: Ensuring ongoing access without discovery is crucial for conducting further malicious activities such as data exfiltration, espionage, or spreading laterally within a network.

In conclusion, "Indicator Removal on Host" encompasses various methods aimed at obscuring malicious activity from being detected and analyzed effectively by defenders. These actions are critical in advanced persistent threats (APTs) where stealth and long-term access are desired by attackers. Understanding these techniques allows cybersecurity professionals to better anticipate and mitigate strategies used for defense evasion.