T1070.009 Clear Persistence
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.1 Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).2
In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.3
Item | Value |
---|---|
ID | T1070.009 |
Sub-techniques | T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009 |
Tactics | TA0005 |
Platforms | Linux, Windows, macOS |
Version | 1.1 |
Created | 29 July 2022 |
Last Modified | 11 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0534 | Bazar | Bazar‘s loader can delete scheduled tasks created by a previous instance of the malware.3 |
S0632 | GrimAgent | GrimAgent can delete previously created tasks on a compromised host.9 |
S0669 | KOCTOPUS | KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.5 |
S0500 | MCMD | MCMD has the ability to remove set Registry Keys, including those used for persistence.4 |
S0083 | Misdat | Misdat is capable of deleting Registry keys used for persistence.1 |
S0385 | njRAT | njRAT is capable of manipulating and deleting registry keys, including those used for persistence.8 |
S0517 | Pillowmint | Pillowmint can uninstall the malicious service from an infected machine.7 |
S0148 | RTM | RTM has the ability to remove Registry entries that it created for persistence.10 |
S0085 | S-Type | S-Type has deleted accounts it has created.1 |
S0559 | SUNBURST | SUNBURST removed IFEO registry values to clean up traces of persistence.6 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1029 | Remote Data Storage | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
M1022 | Restrict File and Directory Permissions | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Deletion |
DS0009 | Process | Process Creation |
DS0003 | Scheduled Job | Scheduled Job Modification |
DS0002 | User Account | User Account Deletion |
DS0024 | Windows Registry | Windows Registry Key Deletion |
References
-
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩↩↩
-
Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023. ↩
-
Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. ↩↩
-
Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. ↩
-
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩
-
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. ↩
-
Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. ↩
-
Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. ↩
-
Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. ↩
-
Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. ↩