1. Home
  2. Techniques
  3. Enterprise
  4. Indicator Removal
  5. Clear Persistence

Indicator Removal: Clear Persistence

ID Name
T1070.001 Clear Windows Event Logs
T1070.002 Clear Linux or Mac System Logs
T1070.003 Clear Command History
T1070.004 File Deletion
T1070.005 Network Share Connection Removal
T1070.006 Timestomp
T1070.007 Clear Network Connection History and Configurations
T1070.008 Clear Mailbox Data
T1070.009 Clear Persistence
T1070.010 Relocate Malware

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.[1] Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).[2]

In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.[3]

ID: T1070.009
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Gavin Knapp
Version: 1.1
Created: 29 July 2022
Last Modified: 11 April 2023
Version Permalink

Procedure Examples

ID Name Description
S0534 Bazar

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.[3]
S0632 GrimAgent

GrimAgent can delete previously created tasks on a compromised host.[4]
S1132 IPsec Helper

IPsec Helper can delete various service traces related to persistent execution when commanded.[5]
S0669 KOCTOPUS

KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.[6]
S0500 MCMD

MCMD has the ability to remove set Registry Keys, including those used for persistence.[7]
S0083 Misdat

Misdat is capable of deleting Registry keys used for persistence.[1]
S0385 njRAT

njRAT is capable of manipulating and deleting registry keys, including those used for persistence.[8]
S0517 Pillowmint

Pillowmint can uninstall the malicious service from an infected machine.[9]
S1130 Raspberry Robin

Raspberry Robin uses a RunOnce Registry key for persistence, where the key is removed after its use on reboot then re-added by the malware after it resumes execution.[10]
S0148 RTM

RTM has the ability to remove Registry entries that it created for persistence.[11]
S0085 S-Type

S-Type has deleted accounts it has created.[1]
S0559 SUNBURST

SUNBURST removed IFEO registry values to clean up traces of persistence.[12]

Mitigations

ID Mitigation Description
M1029 Remote Data Storage

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

M1022 Restrict File and Directory Permissions

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may delete or alter generated artifacts associated with persistence on a host system.
DS0022 File File Deletion

Monitor for a file that may delete or alter generated artifacts associated with persistence on a host system.
File Modification

Monitor for changes made to a file may delete or alter generated artifacts associated with persistence on a host system.
DS0009 Process Process Creation

Monitor for newly executed processes that may delete or alter generated artifacts associated with persistence on a host system.

DS0003 Scheduled Job Scheduled Job Modification

Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.
DS0002 User Account User Account Deletion

Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Event ID 4726 - A user account was deleted).

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.
DS0024 Windows Registry Windows Registry Key Deletion

Monitor windows registry keys that may be deleted or alter generated artifacts associated with persistence on a host system.

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts associated with persistence on a host system.

References

  1. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  2. Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023.
  3. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  4. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  5. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  6. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  1. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  2. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  3. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  4. Microsoft Threat Intelligence. (2022, October 27). Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity. Retrieved May 17, 2024.
  5. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  6. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.