T1070.md

T1070 - Indicator Removal on Host

Description from ATT&CK

Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .

Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.

Clear Windows Event Logs

Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three system-defined sources of Events: System, Application, and Security.

Adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities.

The event logs can be cleared with the following utility commands:

• wevtutil cl system
• wevtutil cl application
• wevtutil cl security

Logs may also be cleared through other mechanisms, such as PowerShell.

Atomic Tests

• Atomic Test #1 - Clear Logs

• Atomic Test #2 - FSUtil

• Atomic Test #3 - rm -rf

• Atomic Test #4 - Overwrite Linux Mail Spool

• Atomic Test #5 - Overwrite Linux Log

Atomic Test #1 - Clear Logs

Clear Windows Event Logs

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
log_name	Windows Log Name, ex System	String	System

Run it with command_prompt!

wevtutil cl #{log_name}

Atomic Test #2 - FSUtil

Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.

Supported Platforms: Windows

Run it with command_prompt!

fsutil usn deletejournal /D C:

Atomic Test #3 - rm -rf

Delete system and audit logs

Supported Platforms: macOS, Linux

Run it with sh!

rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*

Atomic Test #4 - Overwrite Linux Mail Spool

This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: Linux

Inputs

Name	Description	Type	Default Value
username	Username of mail spool	String	root

Run it with bash!

echo 0> /var/spool/mail/#{username}

Atomic Test #5 - Overwrite Linux Log

This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: Linux

Inputs

Name	Description	Type	Default Value
log_path	Path of specified log	Path	/var/log/secure

Run it with bash!

echo 0> #{log_path}