DET0750: Detection of Indicator Removal on Host
DET0750 is a detection strategy for attempts to remove evidence from an ICS host or device. The business issue is not just stealth: if logs, files, or trac...
Analyst context for executives and security teams
DET0750 is a detection strategy for attempts to remove evidence from an ICS host or device. The business issue is not just stealth: if logs, files, or traces are deleted or overwritten, responders may lose the evidence needed to scope an incident, prove recovery integrity, support audit requirements, and understand whether cyber-physical operations were affected.
Executive priority
Treat this as an incident-readiness and resilience control area. Leaders should ask whether critical ICS systems preserve forensic evidence when a host is tampered with, whether logs are retained outside the affected system, and whether IR teams can reconstruct activity if local indicators are removed. This can influence budget priorities for logging, retention, endpoint visibility, and evidence handling in operational environments.
Technical view
This strategy is related to ATT&CK for ICS technique T0872, Indicator Removal on Host. Because MITRE provides no platform, tactic, description, or detection logic for DET0750 itself, SOC and IR teams should validate coverage against the related behavior: overwriting, deleting, or concealing changes made on a device. Focus on whether host-level evidence, file integrity signals, configuration change records, and log-clearing or tampering events are collected and preserved outside the potentially compromised host.
Likely telemetry
- Host audit logs showing file deletion, overwrite, or permission changes
- Security or system logs indicating log clearing, truncation, or abnormal log service behavior
- Process execution records for utilities or scripts that modify, delete, or archive evidence
- File integrity monitoring or configuration monitoring on critical ICS hosts
- Centralized log collection and retention records that can survive local host tampering
Detection direction
- Confirm whether critical ICS hosts generate and forward relevant host and file-change telemetry before an adversary could remove local indicators.
- Tune alerts for unusual deletion, overwrite, or log-clearing activity on systems where such actions are rare or operationally sensitive.
- Separate legitimate maintenance, patching, log rotation, and administrative cleanup from suspicious activity using approved change windows and operator context.
- Validate that central logging or other off-host evidence can support investigation when local host records are missing or altered.
- Use the T0872 relationship as the behavioral anchor; DET0750 itself does not provide official detection analytics or platform-specific guidance.
Mitigation priorities
- Prioritize off-host log forwarding, protected retention, and access controls for evidence sources on critical ICS systems.
- Limit who can delete or alter logs, configuration records, and forensic artifacts, especially on systems supporting operational processes.
- Establish procedures for evidence preservation during ICS incident response, including when local host data may be incomplete or manipulated.
- Baseline normal maintenance and cleanup activity so suspicious indicator removal is easier to distinguish from authorized operations.
- Test recovery and investigation playbooks for scenarios where local logs or files have been deleted or overwritten.
Analyst notes and limits
This take is based on the DET0750 detection strategy record and its relationship to T0872, Indicator Removal on Host. The strongest decision value is in validating whether the organization can still detect, investigate, and prove system state when a host-based adversary attempts to erase evidence.
The supplied ATT&CK object has no official description, detection text, tactics, or platforms. Recommendations are therefore conservative and relationship-driven; local ICS architecture, host types, logging design, and change-management practices are required to determine actual coverage.
Detection of Indicator Removal on Host
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0872 | Indicator Removal on Host | This object detects Indicator Removal on Host. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ac8b40a96666… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0750Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.