Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.[1] Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).[2]
In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.[3]
| ID | Name | Description |
|---|---|---|
| S0534 | Bazar |
Bazar's loader can delete scheduled tasks created by a previous instance of the malware.[3] |
| S0632 | GrimAgent |
GrimAgent can delete previously created tasks on a compromised host.[4] |
| S1132 | IPsec Helper |
IPsec Helper can delete various service traces related to persistent execution when commanded.[5] |
| S1190 | Kapeka |
Kapeka will clear registry values used for persistent configuration storage when uninstalled.[6] |
| S0669 | KOCTOPUS |
KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.[7] |
| S0500 | MCMD |
MCMD has the ability to remove set Registry Keys, including those used for persistence.[8] |
| S0083 | Misdat |
Misdat is capable of deleting Registry keys used for persistence.[1] |
| S0385 | njRAT |
njRAT is capable of manipulating and deleting registry keys, including those used for persistence.[9] |
| S0517 | Pillowmint |
Pillowmint can uninstall the malicious service from an infected machine.[10] |
| S0013 | PlugX |
PlugX has deleted registry keys that store data and maintained persistence.[11] |
| S1130 | Raspberry Robin |
Raspberry Robin uses a |
| S0148 | RTM |
RTM has the ability to remove Registry entries that it created for persistence.[13] |
| S0085 | S-Type | |
| S1232 | SplatDropper |
SplatDropper has deleted its malicious payload and removed its own created service to avoid leaving traces of its presence on victim devices.[14] |
| S0559 | SUNBURST |
SUNBURST removed IFEO registry values to clean up traces of persistence.[15] |
| ID | Mitigation | Description |
|---|---|---|
| M1029 | Remote Data Storage |
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| M1022 | Restrict File and Directory Permissions |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0040 | Detection of Persistence Artifact Removal Across Host Platforms | AN0113 |
Detects adversary activity that removes persistence artifacts such as services, registry keys, scheduled tasks, user accounts, and binaries through commands like |
| AN0114 |
Detects removal of persistence artifacts such as crontab entries, systemd service units, and malicious user accounts through commands like |
||
| AN0115 |
Detects deletion of launch agents (~/Library/LaunchAgents/) and launch daemons (/Library/LaunchDaemons/), especially after suspicious process execution or when tied to known persistence methods. |
||
| AN0116 |
Detects adversary removal of persistence implants (e.g., rc.local entries or crontab injections) via CLI ( |