1. Home
  2. Techniques
  3. Enterprise
  4. 移除指标

移除指标

ID Name
T1070.001 时间戳同步篡改
T1070.002 内存残留定向清理
T1070.003 日志注入污染
T1070.004 隐蔽擦除链构建

移除指标技术指攻击者为消除入侵痕迹、阻碍安全检测与取证分析,对系统日志、文件元数据、内存残留等数字证据实施删除或篡改的操作集合。该技术直接影响安全设备的告警完整性,并破坏事件响应过程中的证据链重建能力。防御方通常采用文件完整性监控、日志聚合分析和内存取证工具等手段进行对抗,重点关注异常文件删除事件、日志服务异常中断等情况。

为规避传统痕迹清除技术因操作模式固定、残留特征明显而易于被检测的缺陷,攻击者发展出多维融合的隐匿擦除体系,通过时序特征伪装、内存级清理、日志生态污染及分布式任务分解等策略,将痕迹清除行为深度融入系统正常运维操作中,在保证清除效果的同时实现操作过程的"合法化"。

当前移除指标匿迹技术的演进呈现出三大核心特征:首先是操作粒度的原子化,将整体擦除任务分解为微操作序列,每个操作单独符合系统白名单策略(如将日志删除拆分为权限提升、服务停止、文件修改等合规操作组合);其次是技术维度的融合化,结合时间篡改、数据注入、内存操作等多领域技术形成复合隐匿效果(如先污染日志再实施删除,使得删除操作本身成为"合理"的日志管理行为);最后是架构维度的分布式,通过跨平台、跨网络的协作式擦除链,将本地痕迹清除转化为需要全局关联分析才能识别的隐蔽威胁。典型技术如隐蔽擦除链构建突破单机对抗范畴,要求防御方具备跨域日志关联分析能力;内存残留定向清理则迫使取证技术向实时内存监控方向演进。

匿迹技术的发展导致传统基于特征匹配的日志监控体系面临根本性挑战,防御方需构建面向全数据生命周期的零信任审计框架,实施日志数据的多副本不可变存储,并引入基于行为基线的异常操作识别模型,同时加强内存实时取证与硬件级可信计算技术的融合应用。

ID: T1070
Sub-techniques:  T1070.001, T1070.002, T1070.003, T1070.004
Tactic: 防御规避
Platforms: Containers, Linux, Network, Office Suite, Windows, macOS
Defense Bypassed: Anti-virus, Host intrusion prevention systems, Log analysis
Contributors: Blake Strom, Microsoft 365 Defender; Brad Geesaman, @bradgeesaman; Ed Williams, Trustwave, SpiderLabs
Version: 2.2
Created: 31 May 2017
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

通过日志注入污染等技术,将恶意擦除操作伪装成正常的系统维护行为。攻击者生成符合业务逻辑的虚假日志条目,使删除操作在日志序列中呈现为合法管理行为,规避基于操作模式分析的检测规则。该手法使得防御方难以从海量日志中识别异常操作特征。

数据遮蔽

在内存残留定向清理等技术中,采用物理内存覆写和加密擦除算法,确保敏感数据不可恢复。通过内存操作层面的数据遮蔽,防御方无法通过常规取证工具获取有效证据,形成数据层面的彻底隐匿。

时空释痕

隐蔽擦除链构建技术将擦除任务分散到多个时空节点执行,每个节点仅在特定时间窗口执行部分操作。这种分布式执行模式将单一擦除行为的时空特征稀释在长周期、多地域的操作序列中,传统基于集中式操作的检测模型难以有效识别。

Procedure Examples

ID Name Description
G1023 APT5

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.[1][2]
S0239 Bankshot

Bankshot deletes all artifacts associated with the malware from the infected machine.[3]
S0089 BlackEnergy

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.[4]
S1161 BPFDoor

BPFDoor clears the file location /proc/<PID>/environ removing all environment variables for the process.[5]

S0527 CSPY Downloader

CSPY Downloader has the ability to remove values it writes to the Registry.[6]
C0029 Cutting Edge

During Cutting Edge, threat actors cleared logs to remove traces of their activity and restored compromised systems to a clean state to bypass manufacturer mitigations for CVE-2023-46805 and CVE-2024-21887.[7][8]
S0673 DarkWatchman

DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history.[9]
S0695 Donut

Donut can erase file references to payloads in-memory after being reflectively loaded and executed.[10]
S1159 DUSTTRAP

DUSTTRAP restores the .text section of compromised DLLs after malicious code is loaded into memory and before the file is closed.[11]
S0568 EVILNUM

EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack.[12]
S0696 Flagpro

Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.[13]
S1044 FunnyDream

FunnyDream has the ability to clean traces of malware deployment.[14]
S0697 HermeticWiper

HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.[15][16]
S1132 IPsec Helper

IPsec Helper can delete various registry keys related to its execution and use.[17]
G0032 Lazarus Group

Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked.[18]
S0449 Maze

Maze has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[19]

S0455 Metamorfo

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.[20]
S1135 MultiLayer Wiper

MultiLayer Wiper uses a batch script to clear file system cache memory via the ProcessIdleTasks export in advapi32.dll as an anti-analysis and anti-forensics technique.[21]
S0691 Neoichor

Neoichor can clear the browser history on a compromised host by changing the ClearBrowsingHistoryOnExit value to 1 in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy Registry key.[22]
S0229 Orz

Orz can overwrite Registry settings to reduce its visibility on the victim.[23]
S0448 Rising Sun

Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.[24]

S1085 Sardonic

Sardonic has the ability to delete created WMI objects to evade detections.[25]
S0461 SDBbot

SDBbot has the ability to clean up and remove data structures from a compromised host.[26]
S0596 ShadowPad

ShadowPad has deleted arbitrary Registry values.[27]
S0589 Sibot

Sibot will delete an associated registry key if a certain server response is received.[28]
S0692 SILENTTRINITY

SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.[29]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.[30]
S0603 Stuxnet

Stuxnet can delete OLE Automation and SQL stored procedures used to store malicious payloads.[31]
S0559 SUNBURST

SUNBURST removed HTTP proxy registry values to clean up traces of execution.[32]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
M1029 Remote Data Storage

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

M1022 Restrict File and Directory Permissions

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor logs for abnormal modifications to application settings, such as the creation of malicious Exchange transport rules.
DS0017 Command Command Execution

Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0022 File File Deletion

Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
File Metadata

Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
File Modification

Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0018 Firewall Firewall Rule Modification

Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.
DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0009 Process OS API Execution

Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
Process Creation

Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
DS0003 Scheduled Job Scheduled Job Modification

Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.
DS0002 User Account User Account Authentication

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
User Account Deletion

Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Event ID 4726 - A user account was deleted).

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.
DS0024 Windows Registry Windows Registry Key Deletion

Monitor windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
Windows Registry Key Modification

Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

References

  1. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  2. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  3. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  4. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  5. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
  6. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  7. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  8. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  9. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  10. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  11. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  12. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  13. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  14. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  15. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  16. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  1. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  2. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  3. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  4. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  5. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  6. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  7. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  8. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  9. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  10. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  11. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  12. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  13. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  14. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  15. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  16. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.