1. Home
  2. Detection Strategies
  3. Detection of Persistence Artifact Removal Across Host Platforms

Detection of Persistence Artifact Removal Across Host Platforms

Technique Detected:  Clear Persistence | T1070.009

ID: DET0040
Domains: Enterprise
Analytics: AN0113, AN0114, AN0115, AN0116
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0113

Detects adversary activity that removes persistence artifacts such as services, registry keys, scheduled tasks, user accounts, and binaries through commands like sc delete, schtasks /delete, or reg delete.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
User Account Deletion (DC0009) WinEventLog:Security EventCode=4726, 4657
Scheduled Job Creation (DC0001) WinEventLog:TaskScheduler EventCode=106
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Mutable Elements
Field Description
TargetRegistryPathRegex Filters known persistence keys like Run/RunOnce, Image File Execution Options
DeletedScheduledTaskName Monitors known or suspicious task names deleted post-persistence
DeletedAccountGroupScope Focuses on highly privileged or recently created accounts

AN0114

Detects removal of persistence artifacts such as crontab entries, systemd service units, and malicious user accounts through commands like crontab -r, rm /etc/systemd/system/*.service, or userdel.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Deletion (DC0040) auditd:SYSCALL file deletion
Mutable Elements
Field Description
ServicePathMatch Targets suspicious or orphaned unit files in /etc/systemd/system/
CronUserScope Focus on crontab activity from root or uncommon users
UserDeletionActivity Looks for userdel or passwd deletion

AN0115

Detects deletion of launch agents (~/Library/LaunchAgents/) and launch daemons (/Library/LaunchDaemons/), especially after suspicious process execution or when tied to known persistence methods.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog log stream
File Deletion (DC0040) macos:osquery file_events
Mutable Elements
Field Description
LaunchDaemonPath Common plist file paths for persistence: ~/Library/LaunchAgents/*.plist
CorrelatedProcessImage Ties deletion to parent process (e.g., suspicious AppleScript runner)

AN0116

Detects adversary removal of persistence implants (e.g., rc.local entries or crontab injections) via CLI (rm, sed, crontab -r) and deletion of startup or management scripts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:vmkernel /var/log/vmkernel.log
File Deletion (DC0040) esxi:shell shell history
Mutable Elements
Field Description
ScriptRemovalPath e.g., /etc/rc.local, /etc/init.d/custom.sh
StartupEntryClearance Wipe or truncate of persistence locations