T1070.009SubTechniquedefense-evasionagent-callable

T1070.009Clear Persistence

Sub-technique of T1070

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022) In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1070/009
  2. https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf
  3. https://blog.talosintelligence.com/recent-cyber-attack/
  4. https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.