Esc
Indicator Removal - T1070
(ATT&CK® Technique)
Definition
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1070["Indicator Removal"] --> |deletes| File["File"]; class T1070 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1070 href "/offensive-technique/attack/T1070/"; click File href "/dao/artifact/d3f:File"; T1070["Indicator Removal"] --> |forges| FileSystemMetadata["File System Metadata"]; class T1070 OffensiveTechniqueNode;
class FileSystemMetadata ArtifactNode; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata";
click T1070 href "/offensive-technique/attack/T1070/"; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata"; T1070["Indicator Removal"] --> |may-modify| File["File"]; class T1070 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1070 href "/offensive-technique/attack/T1070/"; click File href "/dao/artifact/d3f:File"; T1070["Indicator Removal"] --> |modifies| EventLog["Event Log"]; class T1070 OffensiveTechniqueNode;
class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
click T1070 href "/offensive-technique/attack/T1070/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1070["Indicator Removal"] --> |modifies| CommandHistoryLog["Command History Log"]; class T1070 OffensiveTechniqueNode;
class CommandHistoryLog ArtifactNode; click CommandHistoryLog href "/dao/artifact/d3f:CommandHistoryLog";
click T1070 href "/offensive-technique/attack/T1070/"; click CommandHistoryLog href "/dao/artifact/d3f:CommandHistoryLog"; T1070["Indicator Removal"] --> |modifies| OperatingSystemLogFile["Operating System Log File"]; class T1070 OffensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode; click OperatingSystemLogFile href "/dao/artifact/d3f:OperatingSystemLogFile";
click T1070 href "/offensive-technique/attack/T1070/"; click OperatingSystemLogFile href "/dao/artifact/d3f:OperatingSystemLogFile"; T1070["Indicator Removal"] --> |unmounts| NetworkFileShareResource["Network File Share Resource"]; class T1070 OffensiveTechniqueNode;
class NetworkFileShareResource ArtifactNode; click NetworkFileShareResource href "/dao/artifact/d3f:NetworkFileShareResource";
click T1070 href "/offensive-technique/attack/T1070/"; click NetworkFileShareResource href "/dao/artifact/d3f:NetworkFileShareResource"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemLogFile["Operating System Log File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1070["Indicator Removal"] ;
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemLogFile["Operating System Log File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1070["Indicator Removal"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; DecoyNetworkResource["Decoy Network Resource"] -->
| spoofs | NetworkFileShareResource["Network File Share Resource"];
DecoyNetworkResource["Decoy Network Resource"] -.->
| may-deceive | T1070["Indicator Removal"] ;
class DecoyNetworkResource DefensiveTechniqueNode;
class NetworkFileShareResource ArtifactNode;
click DecoyNetworkResource href "/technique/d3f:DecoyNetworkResource"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemLogFile["Operating System Log File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1070["Indicator Removal"] ;
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemLogFile["Operating System Log File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1070["Indicator Removal"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | File["File"];
FileEviction["File Eviction"] -.->
| may-evict | T1070["Indicator Removal"] ;
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; NetworkResourceAccessMediation["Network Resource Access Mediation"] -->
| isolates | NetworkFileShareResource["Network File Share Resource"];
NetworkResourceAccessMediation["Network Resource Access Mediation"] -.->
| may-isolate | T1070["Indicator Removal"] ;
class NetworkResourceAccessMediation DefensiveTechniqueNode;
class NetworkFileShareResource ArtifactNode;
click NetworkResourceAccessMediation href "/technique/d3f:NetworkResourceAccessMediation"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1070["Indicator Removal"] ;
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemLogFile["Operating System Log File"];
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemLogFile["Operating System Log File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; RestoreFile["Restore File"] -->
| restores | OperatingSystemLogFile["Operating System Log File"];
RestoreFile["Restore File"] -.->
| may-restore | T1070["Indicator Removal"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | File["File"];
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemLogFile["Operating System Log File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1070["Indicator Removal"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1070["Indicator Removal"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemLogFile["Operating System Log File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";