CLEARED FOR PUBLIC RELEASE · OPEN-SOURCE INTELLIGENCE
Indicator Removal (T1070) — a Defense Evasion technique, observed in public incident reporting.
MITRE ATT&CKT1070
TacticDefense Evasion
Incidents on file6
Detection & mitigation
Monitor for processes with suspicious command-line arguments containing ':\Windows\ccmcache' that are not legitimate SCCM cache operations. Ensure Cortex XDR agent and content updates are patched to remove the vulnerable whitelist rules.