Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account).(Citation: Talos - Cisco Attack 2022)
In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1070.009 | Clear Persistence |
AC-03 | Access Enforcement | Protects | T1070.009 | Clear Persistence |
AC-05 | Separation of Duties | Protects | T1070.009 | Clear Persistence |
AC-06 | Least Privilege | Protects | T1070.009 | Clear Persistence |
CA-07 | Continuous Monitoring | Protects | T1070.009 | Clear Persistence |
CM-02 | Baseline Configuration | Protects | T1070.009 | Clear Persistence |
CM-06 | Configuration Settings | Protects | T1070.009 | Clear Persistence |
SI-03 | Malicious Code Protection | Protects | T1070.009 | Clear Persistence |
SI-04 | System Monitoring | Protects | T1070.009 | Clear Persistence |
SI-07 | Software, Firmware, and Information Integrity | Protects | T1070.009 | Clear Persistence |