Indicator Removal: Clear Persistence

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.[1] Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).[2]

In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.[3]

ID: T1070.009
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Gavin Knapp
Version: 1.1
Created: 29 July 2022
Last Modified: 11 April 2023

Procedure Examples

ID Name Description
S0534 Bazar

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.[3]

S0632 GrimAgent

GrimAgent can delete previously created tasks on a compromised host.[4]

S0669 KOCTOPUS

KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.[5]

S0500 MCMD

MCMD has the ability to remove set Registry Keys, including those used for persistence.[6]

S0083 Misdat

Misdat is capable of deleting Registry keys used for persistence.[1]

S0385 njRAT

njRAT is capable of manipulating and deleting registry keys, including those used for persistence.[7]

S0517 Pillowmint

Pillowmint can uninstall the malicious service from an infected machine.[8]

S0148 RTM

RTM has the ability to remove Registry entries that it created for persistence.[9]

S0085 S-Type

S-Type has deleted accounts it has created.[1]

S0559 SUNBURST

SUNBURST removed IFEO registry values to clean up traces of persistence.[10]

Mitigations

ID Mitigation Description
M1029 Remote Data Storage

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

M1022 Restrict File and Directory Permissions

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may delete or alter generated artifacts associated with persistence on a host system.

DS0022 File File Deletion

Monitor for a file that may delete or alter generated artifacts associated with persistence on a host system.

File Modification

Monitor for changes made to a file may delete or alter generated artifacts associated with persistence on a host system.

DS0009 Process Process Creation

Monitor for newly executed processes that may delete or alter generated artifacts associated with persistence on a host system.

DS0003 Scheduled Job Scheduled Job Modification

Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.

DS0002 User Account User Account Deletion

Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Event ID 4726 - A user account was deleted).

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.

DS0024 Windows Registry Windows Registry Key Deletion

Monitor windows registry keys that may be deleted or alter generated artifacts associated with persistence on a host system.

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts associated with persistence on a host system.

References