2. 概要(Indicator Removal on Host)
攻撃の発見を遅らせるために、攻撃に関連する証跡を削除または変更する技術
Victim
Villain
Related logs
Delete!!
After attacking victim…
Sysadmin
umm.. there is no
evidence of attack.
LGTM!
5. MITRE上の定義
原文:
Adversaries may delete or alter generated artifacts on a host system,
including logs or captured files such as quarantined malware. Locations
and format of logs are platform or product-specific, however standard
operating system logs are captured as Windows events or Linux/macOS
files such as Bash History and /var/log/*.
These actions may interfere with event collection, reporting, or other
notifications used to detect intrusion activity. This that may
compromise the integrity of security solutions by causing notable
events to go unreported. This activity may also impede forensic
analysis and incident response, due to lack of sufficient data to
determine what occurred.
6. サブテクニック
T1070.001 Clear Windows Event Logs
T1070.002 Clear Linux or Mac System Logs
T1070.003 Clear Command History
T1070.004 File Deletion
T1070.005 Network Share Connection Removal
T1070.006 Timestomp
9. T1070.001 Clear Windows Event Logs
Windowsのイベントログを削除方法(コマンドから)
wevtutil cl <ソース>
例)
wevtutil cl system
wevtutil cl application
wevtutil cl security
10. T1070.002 Clear Linux or Mac System Logs
Linux/Macのログを削除する
主な削除対象
/var/log/messages :General and system-related messages
/var/log/secure or /var/log/auth.log: Authentication logs
/var/log/utmp or /var/log/wtmp : Login records
/var/log/kern.log : Kernel logs
/var/log/cron.log : Crond logs
/var/log/maillog : Mail server logs
/var/log/httpd/ : Web server access and error logs