Skip to content

DET0040 Detection of Persistence Artifact Removal Across Host Platforms

Item Value
ID DET0040
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1070.009 (Clear Persistence)

Analytics

Windows

AN0113

Detects adversary activity that removes persistence artifacts such as services, registry keys, scheduled tasks, user accounts, and binaries through commands like sc delete, schtasks /delete, or reg delete.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
User Account Deletion (DC0009) WinEventLog:Security EventCode=4726, 4657
Scheduled Job Creation (DC0001) WinEventLog:TaskScheduler EventCode=106
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Mutable Elements
Field Description
TargetRegistryPathRegex Filters known persistence keys like Run/RunOnce, Image File Execution Options
DeletedScheduledTaskName Monitors known or suspicious task names deleted post-persistence
DeletedAccountGroupScope Focuses on highly privileged or recently created accounts

Linux

AN0114

Detects removal of persistence artifacts such as crontab entries, systemd service units, and malicious user accounts through commands like crontab -r, rm /etc/systemd/system/*.service, or userdel.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Deletion (DC0040) auditd:SYSCALL file deletion
Mutable Elements
Field Description
ServicePathMatch Targets suspicious or orphaned unit files in /etc/systemd/system/
CronUserScope Focus on crontab activity from root or uncommon users
UserDeletionActivity Looks for userdel or passwd deletion

macOS

AN0115

Detects deletion of launch agents (~/Library/LaunchAgents/) and launch daemons (/Library/LaunchDaemons/), especially after suspicious process execution or when tied to known persistence methods.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog log stream
File Deletion (DC0040) macos:osquery file_events
Mutable Elements
Field Description
LaunchDaemonPath Common plist file paths for persistence: ~/Library/LaunchAgents/*.plist
CorrelatedProcessImage Ties deletion to parent process (e.g., suspicious AppleScript runner)

ESXi

AN0116

Detects adversary removal of persistence implants (e.g., rc.local entries or crontab injections) via CLI (rm, sed, crontab -r) and deletion of startup or management scripts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:vmkernel /var/log/vmkernel.log
File Deletion (DC0040) esxi:shell shell history
Mutable Elements
Field Description
ScriptRemovalPath e.g., /etc/rc.local, /etc/init.d/custom.sh
StartupEntryClearance Wipe or truncate of persistence locations