Technique on mitre.org

T1070.009: Clear Persistence

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence. Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).

In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

oracle_database: PT-CR-279: Oracle_Audit_Entry_Delete: Deletion of entries from an audit table oracle_database: PT-CR-278: Oracle_Audit_Drop: Dropping of an audit table oracle_database: PT-CR-282: Oracle_Audit_Truncate: Truncation of an audit table oracle_database: PT-CR-1278: Oracle_Unified_Audit_Clean: Unified audit trail is cleaned up vmware_aria: PT-CR-2378: AOFL_Data_Partition_Remove: Deletion of a log data partition can indicate an attacker attempting to delete operational artifacts on the Aria Operations for Logs monitoring hosts security_code_secret_net_lsp: PT-CR-1888: SecretNet_LSP_Remove_Log_From_Database: Deletion of Secret Net LSP event logs

Detection

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to a file may delete or alter generated artifacts associated with persistence on a host system.

ID	DS0003	Data source and component	Scheduled Job: Scheduled Job Modification	Description	Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.

ID	DS0022	Data source and component	File: File Deletion	Description	Monitor for a file that may delete or alter generated artifacts associated with persistence on a host system.

ID	DS0002	Data source and component	User Account: User Account Deletion	Description	Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., `Event ID 4726 - A user account was deleted`). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts associated with persistence on a host system.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may delete or alter generated artifacts associated with persistence on a host system.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Deletion	Description	Monitor windows registry keys that may be deleted or alter generated artifacts associated with persistence on a host system.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may delete or alter generated artifacts associated with persistence on a host system.

ID	Data source and component	Description
DS0022	File: File Modification	Monitor for changes made to a file may delete or alter generated artifacts associated with persistence on a host system.
DS0003	Scheduled Job: Scheduled Job Modification	Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.
DS0022	File: File Deletion	Monitor for a file that may delete or alter generated artifacts associated with persistence on a host system.
DS0002	User Account: User Account Deletion	Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., `Event ID 4726 - A user account was deleted`). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts associated with persistence on a host system.
DS0009	Process: Process Creation	Monitor for newly executed processes that may delete or alter generated artifacts associated with persistence on a host system.
DS0024	Windows Registry: Windows Registry Key Deletion	Monitor windows registry keys that may be deleted or alter generated artifacts associated with persistence on a host system.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may delete or alter generated artifacts associated with persistence on a host system.

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

ID	M1029	Name	Remote Data Storage	Description	Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
M1029	Remote Data Storage	Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.