T1070.009 Clear Persistence Mappings

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).(Citation: Talos - Cisco Attack 2022)

In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1070.009 Clear Persistence
AC-03 Access Enforcement Protects T1070.009 Clear Persistence
AC-05 Separation of Duties Protects T1070.009 Clear Persistence
AC-06 Least Privilege Protects T1070.009 Clear Persistence
CA-07 Continuous Monitoring Protects T1070.009 Clear Persistence
CM-02 Baseline Configuration Protects T1070.009 Clear Persistence
CM-06 Configuration Settings Protects T1070.009 Clear Persistence
SI-03 Malicious Code Protection Protects T1070.009 Clear Persistence
SI-04 System Monitoring Protects T1070.009 Clear Persistence
SI-07 Software, Firmware, and Information Integrity Protects T1070.009 Clear Persistence