Skip to content

T1070.009 Clear Persistence

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.1 Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).2

In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.3

Item Value
ID T1070.009
Sub-techniques T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.1
Created 29 July 2022
Last Modified 11 April 2023

Procedure Examples

ID Name Description
S0534 Bazar Bazar‘s loader can delete scheduled tasks created by a previous instance of the malware.3
S0632 GrimAgent GrimAgent can delete previously created tasks on a compromised host.9
S0669 KOCTOPUS KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.5
S0500 MCMD MCMD has the ability to remove set Registry Keys, including those used for persistence.4
S0083 Misdat Misdat is capable of deleting Registry keys used for persistence.1
S0385 njRAT njRAT is capable of manipulating and deleting registry keys, including those used for persistence.8
S0517 Pillowmint Pillowmint can uninstall the malicious service from an infected machine.7
S0148 RTM RTM has the ability to remove Registry entries that it created for persistence.10
S0085 S-Type S-Type has deleted accounts it has created.1
S0559 SUNBURST SUNBURST removed IFEO registry values to clean up traces of persistence.6


ID Mitigation Description
M1029 Remote Data Storage Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
M1022 Restrict File and Directory Permissions Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Deletion
DS0009 Process Process Creation
DS0003 Scheduled Job Scheduled Job Modification
DS0002 User Account User Account Deletion
DS0024 Windows Registry Windows Registry Key Deletion