T1070
Indicator Removal on Host
Description from ATT&CK
Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.
Artifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.
These actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.
Atomic Tests
Atomic Test #1: Indicator Removal using FSUtil
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
Supported Platforms: Windows
auto_generated_guid: b4115c7a-0e92-47f0-a61e-17e7218b2435
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
fsutil usn deletejournal /D C:Cleanup Commands
fsutil usn createjournal m=1000 a=100 c:Atomic Test #2: Indicator Manipulation using FSUtil
Finds a file by user name (if Disk Quotas are enabled), queries allocated ranges for a file, sets a file's short name, sets a file's valid data length, sets zero data for a file, or creates a new file. Upon execution, no output will be displayed. More information about fsutil can be found at https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-file
Supported Platforms: Windows
auto_generated_guid: 96e86706-6afd-45b6-95d6-108d23eaf2e9
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_manipulate | Path of file to manipulate | path | PathToAtomicsFolder\..\ExternalPayloads\T1070-2.txt |
| file_data_length | Data length to setzero | integer | 10 |
Attack Commands: Run with powershell!
if (-not (Test-Path "#{file_to_manipulate}")) { New-Item "#{file_to_manipulate}" -Force }
echo "1234567890" > "#{file_to_manipulate}"
fsutil file setZeroData offset=0 length=#{file_data_length} "#{file_to_manipulate}"Cleanup Commands
rm "#{file_to_manipulate}"Atomic test(s) for this technique last updated: 2023-09-29 14:50:42 UTC