All courses
Resource hub
Featured resource
Tech Upskilling Playbook 2025
Tech Upskilling Playbook

Build future-ready tech teams and hit key business milestones with seven proven plays from industry leaders.

Learn more
Hamburger Icon
  • Course
    • Libraries: If you want this course, consider one of these libraries.
    • Security

Volt Typhoon: T1070.003 Indicator Removal Emulation

Explore how and why Volt Typhoon removed or modified files left behind by the actions of their intrusion activity in critical infrastructure networks.

Matthew Lloyd Davies - Pluralsight course - Volt Typhoon: T1070.003 Indicator Removal Emulation
by Matthew Lloyd Davies
Get started

What you'll learn

Non-native files such as tools and malware used during an attack may leave traces to indicate what was done by an adversary and how they did it. A common technique used by adversaries to hide their tracks is to remove these files either during an intrusion, or as part of post-intrusion activities. In this course, Volt Typhoon: T1070.003 Indicator Removal Emulation, explore how the Volt Typhoon threat group used this technique to minimize their footprint on systems and remain undetected in critical infrastructure for over 5 years.

Table of contents

About the author

Matthew Lloyd Davies - Pluralsight course - Volt Typhoon: T1070.003 Indicator Removal Emulation
Matthew Lloyd Davies

Matt has a degree in Chemical engineering and a PhD in mathematical chemistry. He is also a GIAC certified incident handler and penetration tester and has regulated cyber security in the UK civil nuclear sector for many years.

More Courses by Matthew