Esc
Indicator Removal - T1070
(ATT&CK® Technique)
Definition
Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1070["Indicator Removal"] --> |deletes| File["File"]; class T1070 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1070 href "/offensive-technique/attack/T1070/"; click File href "/dao/artifact/d3f:File"; T1070["Indicator Removal"] --> |forges| FileSystemMetadata["File System Metadata"]; class T1070 OffensiveTechniqueNode;
class FileSystemMetadata ArtifactNode; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata";
click T1070 href "/offensive-technique/attack/T1070/"; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata"; T1070["Indicator Removal"] --> |may-modify| File["File"]; class T1070 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1070 href "/offensive-technique/attack/T1070/"; click File href "/dao/artifact/d3f:File"; T1070["Indicator Removal"] --> |modifies| EventLog["Event Log"]; class T1070 OffensiveTechniqueNode;
class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
click T1070 href "/offensive-technique/attack/T1070/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1070["Indicator Removal"] --> |modifies| CommandHistoryLog["Command History Log"]; class T1070 OffensiveTechniqueNode;
class CommandHistoryLog ArtifactNode; click CommandHistoryLog href "/dao/artifact/d3f:CommandHistoryLog";
click T1070 href "/offensive-technique/attack/T1070/"; click CommandHistoryLog href "/dao/artifact/d3f:CommandHistoryLog"; T1070["Indicator Removal"] --> |modifies| OperatingSystemLogFile["Operating System Log File"]; class T1070 OffensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode; click OperatingSystemLogFile href "/dao/artifact/d3f:OperatingSystemLogFile";
click T1070 href "/offensive-technique/attack/T1070/"; click OperatingSystemLogFile href "/dao/artifact/d3f:OperatingSystemLogFile"; T1070["Indicator Removal"] --> |unmounts| NetworkFileShareResource["Network File Share Resource"]; class T1070 OffensiveTechniqueNode;
class NetworkFileShareResource ArtifactNode; click NetworkFileShareResource href "/dao/artifact/d3f:NetworkFileShareResource";
click T1070 href "/offensive-technique/attack/T1070/"; click NetworkFileShareResource href "/dao/artifact/d3f:NetworkFileShareResource"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1070["Indicator Removal"] ;
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemLogFile["Operating System Log File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyNetworkResource["Decoy Network Resource"] -->
| spoofs | NetworkFileShareResource["Network File Share Resource"];
DecoyNetworkResource["Decoy Network Resource"] -.->
| may-deceive | T1070["Indicator Removal"] ;
class DecoyNetworkResource DefensiveTechniqueNode;
class NetworkFileShareResource ArtifactNode;
click DecoyNetworkResource href "/technique/d3f:DecoyNetworkResource"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemLogFile["Operating System Log File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1070["Indicator Removal"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemLogFile["Operating System Log File"];
FileEviction["File Eviction"] -.->
| may-evict | T1070["Indicator Removal"] ;
class FileEviction DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | File["File"];
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1070["Indicator Removal"] ;
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemLogFile["Operating System Log File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ContentQuarantine["Content Quarantine"] -->
| quarantines | OperatingSystemLogFile["Operating System Log File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1070["Indicator Removal"] ;
class ContentQuarantine DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentQuarantine["Content Quarantine"] -->
| quarantines | File["File"];
class ContentQuarantine DefensiveTechniqueNode;
class File ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
| modifies | OperatingSystemLogFile["Operating System Log File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1070["Indicator Removal"] ;
class ContentModification DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentModification["Content Modification"] -->
| modifies | File["File"];
class ContentModification DefensiveTechniqueNode;
class File ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1070["Indicator Removal"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemLogFile["Operating System Log File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemLogFile["Operating System Log File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1070["Indicator Removal"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; NetworkResourceAccessMediation["Network Resource Access Mediation"] -->
| isolates | NetworkFileShareResource["Network File Share Resource"];
NetworkResourceAccessMediation["Network Resource Access Mediation"] -.->
| may-isolate | T1070["Indicator Removal"] ;
class NetworkResourceAccessMediation DefensiveTechniqueNode;
class NetworkFileShareResource ArtifactNode;
click NetworkResourceAccessMediation href "/technique/d3f:NetworkResourceAccessMediation"; RestoreFile["Restore File"] -->
| restores | OperatingSystemLogFile["Operating System Log File"];
RestoreFile["Restore File"] -.->
| may-restore | T1070["Indicator Removal"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | File["File"];
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemLogFile["Operating System Log File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1070["Indicator Removal"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemLogFile["Operating System Log File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1070["Indicator Removal"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | OperatingSystemLogFile["Operating System Log File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1070["Indicator Removal"] ;
class ContentFiltering DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] -->
| filters | File["File"];
class ContentFiltering DefensiveTechniqueNode;
class File ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering";