Description
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).(Citation: Talos - Cisco Attack 2022)
In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)
Platforms
Mitigations (2)
Restrict File and Directory PermissionsM1022
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
Remote Data StorageM1029
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
Associated Software (15)
| ID | Name | Type | Context |
|---|---|---|---|
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) removed IFEO registry values to clean up traces of persistence.(Citation: Microsoft Deep Dive Solo... |
| S0500 | MCMD | Tool | [MCMD](https://attack.mitre.org/software/S0500) has the ability to remove set Registry Keys, including those used for persistence.(Citation: Securewor... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534)'s loader can delete scheduled tasks created by a previous instance of the malware.(Citation: NCC Grou... |
| S1132 | IPsec Helper | Malware | [IPsec Helper](https://attack.mitre.org/software/S1132) can delete various service traces related to persistent execution when commanded.(Citation: Se... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has deleted registry keys that store data and maintained persistence.(Citation: Eset PlugX Korplug Mu... |
| S0517 | Pillowmint | Malware | [Pillowmint](https://attack.mitre.org/software/S0517) can uninstall the malicious service from an infected machine.(Citation: Trustwave Pillowmint Jun... |
| S0083 | Misdat | Malware | [Misdat](https://attack.mitre.org/software/S0083) is capable of deleting Registry keys used for persistence.(Citation: Cylance Dust Storm) |
| S1190 | Kapeka | Malware | [Kapeka](https://attack.mitre.org/software/S1190) will clear registry values used for persistent configuration storage when uninstalled.(Citation: Wit... |
| S0085 | S-Type | Malware | [S-Type](https://attack.mitre.org/software/S0085) has deleted accounts it has created.(Citation: Cylance Dust Storm) |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) is capable of manipulating and deleting registry keys, including those used for persistence.(Citation... |
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) can delete created registry keys used for persistence as part of its cleanup procedure.(Citation: ... |
| S1232 | SplatDropper | Malware | [SplatDropper](https://attack.mitre.org/software/S1232) has deleted its malicious payload and removed its own created service to avoid leaving traces ... |
| S0632 | GrimAgent | Malware | [GrimAgent](https://attack.mitre.org/software/S0632) can delete previously created tasks on a compromised host.(Citation: Group IB GrimAgent July 2021... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) uses a <code>RunOnce</code> Registry key for persistence, where the key is removed after it... |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) has the ability to remove Registry entries that it created for persistence.(Citation: ESET RTM Feb 2017... |
References
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
Frequently Asked Questions
What is T1070.009 (Clear Persistence)?
T1070.009 is a MITRE ATT&CK technique named 'Clear Persistence'. It belongs to the Stealth tactic(s). Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, d...
How can T1070.009 be detected?
Detection of T1070.009 (Clear Persistence) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1070.009?
There are 2 documented mitigations for T1070.009. Key mitigations include: Restrict File and Directory Permissions, Remote Data Storage.
Which threat groups use T1070.009?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.