M1029: Remote Data Storage
Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data. This mitigation can be implemented through the following measures:
Centralized Log Management:
- Configure endpoints to forward security logs to a centralized log collector or SIEM. - Use tools like Splunk Graylog, or Security Onion to aggregate and store logs. - Example command (Linux): `sudo auditd | tee /var/log/audit/audit.log | nc
Remote File Storage Solutions:
- Utilize cloud storage solutions like AWS S3, Google Cloud Storage, or Azure Blob Storage for sensitive data. - Ensure proper encryption at rest and access control policies (IAM roles, ACLs).
Intrusion Detection Log Forwarding:
- Forward logs from IDS/IPS systems (e.g., Zeek/Suricata) to a remote security information system. - Example for Suricata log forwarding: `outputs: - type: syslog protocol: tls address:
Immutable Backup Configurations:
- Enable immutable storage settings for backups to prevent adversaries from modifying or deleting data. - Example: AWS S3 Object Lock.
Data Encryption:
- Ensure encryption for sensitive data using AES-256 at rest and TLS 1.2+ for data in transit. Tools: OpenSSL, BitLocker, LUKS for Linux.
Analyst context for executives and security teams
Remote Data Storage matters because it preserves evidence and critical data when an attacker tries to erase, alter, or hide activity on compromised systems. For executives and security leaders, the decision value is resilience: if endpoint logs, mailbox records, network history, backups, or sensitive files exist only on the affected host or application, incident response and business decision-making can be impaired when those artifacts are cleared or manipulated.
Executive priority
Prioritize this mitigation where evidence integrity and operational recovery are business-critical: centralized logging, remote storage for sensitive data, protected IDS/IPS logs, encrypted storage, and immutable backups. It directly supports incident response readiness, audit evidence retention, and continuity planning for behaviors related to indicator removal, log clearing, automated collection, software deployment tool abuse, and data manipulation. Leaders should ask whether critical forensic and business records remain trustworthy if an endpoint, mailbox, server, or administrative platform is compromised.
Technical view
ATT&CK provides no detection text for this mitigation, so validation should focus on control coverage and evidence survivability. SOC and IR teams should confirm that security logs are forwarded off-host to a centralized collector or SIEM, IDS/IPS logs are sent to remote systems, sensitive files and backups are stored with appropriate encryption and access controls, and immutable backup settings are used where required. Relationship context makes this especially relevant to T1070 Indicator Removal, command history clearing, network connection history clearing, mailbox data clearing, persistence cleanup, Windows Event Log clearing, Linux/macOS log clearing, T1119 Automated Collection, T1072 Software Deployment Tools, and T1565 Data Manipulation.
Likely telemetry
- Endpoint security logs forwarded to centralized log management or SIEM
- Windows Event Logs where applicable to related log-clearing behavior
- Linux and macOS system logs, including authentication and system activity logs
- Command history artifacts where collected and legally/operationally appropriate
- Network connection history and configuration logs from hosts, network devices, and applications
Detection direction
- Validate that high-value logs are transmitted off-host quickly enough that local deletion or modification does not remove the only copy.
- Tune monitoring for gaps between local event generation and centralized receipt, because attackers targeting indicator removal may exploit forwarding delays or disabled logging.
- Compare host-side log state with remote log repositories to identify clearing, truncation, or missing intervals.
- Review mailbox, network, and persistence-related evidence sources because relationship context includes clearing mailbox data, network history, command history, and persistence artifacts.
- Confirm that software deployment and administration platforms forward logs remotely, since related technique T1072 involves centralized tools that may be used for execution or lateral movement.
Mitigation priorities
- Identify critical evidence and business data that must survive host, mailbox, or application compromise.
- Centralize security log collection from endpoints, servers, IDS/IPS systems, cloud services, and administrative platforms.
- Use secure remote storage for sensitive files and monitoring data with encryption at rest and in transit.
- Apply strong access controls to remote storage, including role-based permissions and review of overly broad access policies.
- Use immutable backup or object-lock capabilities for recovery data and key evidence repositories where operationally appropriate.
Analyst notes and limits
This is a mitigation object, not an adversary behavior technique. Its value is strongest when mapped to evidence-destruction and data-integrity risks: indicator removal, Windows/Linux/macOS log clearing, command and network history clearing, mailbox data clearing, persistence cleanup, automated collection, software deployment tool abuse, and data manipulation. The ATT&CK mitigation itself lists no platforms or tactics, but related techniques span Windows, Linux, macOS, ESXi, containers, network devices, SaaS, IaaS, Office Suite, and related enterprise environments.
Official ATT&CK detection guidance is not provided for M1029, and the mitigation has no specified platforms or tactics. This take is limited to the supplied ATT&CK fields and relationships. Actual control priority depends on the organization’s logging architecture, cloud and backup design, retention requirements, encryption and IAM configuration, and incident response needs.
Remote Data Storage
Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data. This mitigation can be implemented through the following measures:
Centralized Log Management:
- Configure endpoints to forward security logs to a centralized log collector or SIEM. - Use tools like Splunk Graylog, or Security Onion to aggregate and store logs. - Example command (Linux): `sudo auditd | tee /var/log/audit/audit.log | nc
Remote File Storage Solutions:
- Utilize cloud storage solutions like AWS S3, Google Cloud Storage, or Azure Blob Storage for sensitive data. - Ensure proper encryption at rest and access control policies (IAM roles, ACLs).
Intrusion Detection Log Forwarding:
- Forward logs from IDS/IPS systems (e.g., Zeek/Suricata) to a remote security information system. - Example for Suricata log forwarding: `outputs: - type: syslog protocol: tls address:
Immutable Backup Configurations:
- Enable immutable storage settings for backups to prevent adversaries from modifying or deleting data. - Example: AWS S3 Object Lock.
Data Encryption:
- Ensure encryption for sensitive data using AES-256 at rest and TLS 1.2+ for data in transit. Tools: OpenSSL, BitLocker, LUKS for Linux.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.007 | Clear Network Connection History and Configurations Sub-technique | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| Enterprise | T1119 | Automated Collection | Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. |
| Enterprise | T1070 | Indicator Removal | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| Enterprise | T1565 | Data Manipulation | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups. |
| Enterprise | T1565.001 | Stored Data Manipulation Sub-technique | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups. |
| Enterprise | T1070.003 | Clear Command History Sub-technique | Forward logging of historical data to remote data store and centralized logging solution to preserve historical command line log data. |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| Enterprise | T1070.008 | Clear Mailbox Data Sub-technique | Automatically forward mail data and events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| Enterprise | T1072 | Software Deployment Tools | If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b2ccc3c669de… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1029Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.