Skip to content

T1070.009 Clear Persistence

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.1 Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).2

In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.3

Item Value
ID T1070.009
Sub-techniques T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.1
Created 29 July 2022
Last Modified 11 April 2023

Procedure Examples

ID Name Description
S0534 Bazar Bazar‘s loader can delete scheduled tasks created by a previous instance of the malware.3
S0632 GrimAgent GrimAgent can delete previously created tasks on a compromised host.9
S0669 KOCTOPUS KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.5
S0500 MCMD MCMD has the ability to remove set Registry Keys, including those used for persistence.4
S0083 Misdat Misdat is capable of deleting Registry keys used for persistence.1
S0385 njRAT njRAT is capable of manipulating and deleting registry keys, including those used for persistence.8
S0517 Pillowmint Pillowmint can uninstall the malicious service from an infected machine.7
S0148 RTM RTM has the ability to remove Registry entries that it created for persistence.10
S0085 S-Type S-Type has deleted accounts it has created.1
S0559 SUNBURST SUNBURST removed IFEO registry values to clean up traces of persistence.6

Mitigations

ID Mitigation Description
M1029 Remote Data Storage Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
M1022 Restrict File and Directory Permissions Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Deletion
DS0009 Process Process Creation
DS0003 Scheduled Job Scheduled Job Modification
DS0002 User Account User Account Deletion
DS0024 Windows Registry Windows Registry Key Deletion

References

  1. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  2. Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023. 

  3. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  4. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  5. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  6. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  7. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  8. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  9. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  10. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.