T1070.009

Clear Persistence

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, modifying the registry, or other cleanup methods to prevent defenders from collecting evidence of their persistent presence. Adversaries may also delete accounts previously created to maintain persistence. In some instances, artifacts of persistence may be removed once an adversary's persistence executes in order to prevent errors with the new instance of the malware.

Microsoft Sentinel / Defender

kusto

let PersistenceRegistryKeys = dynamic([
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx",
  "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
  "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
  "SYSTEM\\CurrentControlSet\\Services",
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
  "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache"
]);
// Detection 1: Registry key deletion in persistence locations
let RegistryDeletions = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryKeyDeleted" or ActionType == "RegistryValueDeleted"
| where RegistryKey has_any (PersistenceRegistryKeys)
| extend DetectionType = "PersistenceRegistryDeleted"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId,
          InitiatingProcessParentFileName, DetectionType;
// Detection 2: Service deletion via sc.exe or PowerShell
let ServiceDeletion = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "sc.exe" and ProcessCommandLine has_any ("delete", "stop")) or
    (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") and ProcessCommandLine has_any ("Remove-Service", "sc.exe delete", "Stop-Service") or
    (FileName =~ "cmd.exe" and ProcessCommandLine has "sc" and ProcessCommandLine has "delete")
  )
| extend DetectionType = "ServiceDeletion"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 3: Scheduled task deletion
let TaskDeletion = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "schtasks.exe" and ProcessCommandLine has "/delete") or
    (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") and ProcessCommandLine has_any ("Unregister-ScheduledTask", "schtasks /delete")
  )
| extend DetectionType = "ScheduledTaskDeleted"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 4: User account deletion
let AccountDeletion = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "net.exe" or FileName =~ "net1.exe") and ProcessCommandLine has "user" and ProcessCommandLine has "/delete" or
    (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") and ProcessCommandLine has_any ("Remove-LocalUser", "net user") and ProcessCommandLine has "/delete"
  )
| extend DetectionType = "AccountDeleted"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Combine all detections
union RegistryDeletions, ServiceDeletion, TaskDeletion, AccountDeletion
| sort by Timestamp desc

high severity medium confidence

Data Sources

Windows Registry: Registry Key Deletion Process: Process Creation Scheduled Job: Scheduled Job Modification User Account: User Account Deletion Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceProcessEvents

False Positives

Software uninstallers legitimately removing their own Run/RunOnce registry entries during uninstallation
IT administrators removing stale scheduled tasks, services, or user accounts during routine maintenance
Endpoint security or patch management tools (SCCM, Intune, PDQ Deploy) that clean up their own persistence entries after completing tasks
System cleanup tools (CCleaner, Windows built-in Disk Cleanup) removing startup entries as part of optimization
Group Policy processing removing or updating startup registry entries during policy refresh

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:System")
| eval detection_type=""
| eval detection_type=case(
    EventCode=12 AND (match(TargetObject, "(?i)(SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options|SYSTEM\\CurrentControlSet\\Services|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer)") AND match(EventType, "(?i)deletekey|deletevalue")), "PersistenceRegistryDeleted",
    EventCode=13 AND match(TargetObject, "(?i)(SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|SYSTEM\\CurrentControlSet\\Services)") AND EventType="DeleteValue", "PersistenceRegistryDeleted",
    EventCode=1 AND (match(Image, "(?i)sc\.exe") AND match(CommandLine, "(?i)(delete|stop)")), "ServiceDeletion",
    EventCode=1 AND (match(Image, "(?i)(powershell\.exe|pwsh\.exe)") AND match(CommandLine, "(?i)(Remove-Service|sc\.exe\s+delete|Stop-Service)")), "ServiceDeletion",
    EventCode=1 AND (match(Image, "(?i)schtasks\.exe") AND match(CommandLine, "(?i)/delete")), "ScheduledTaskDeleted",
    EventCode=1 AND (match(Image, "(?i)(powershell\.exe|pwsh\.exe)") AND match(CommandLine, "(?i)(Unregister-ScheduledTask|schtasks.*delete)")), "ScheduledTaskDeleted",
    EventCode=1 AND (match(Image, "(?i)net(1)?\.exe") AND match(CommandLine, "(?i)user.*\/delete")), "AccountDeleted",
    EventCode=1 AND (match(Image, "(?i)(powershell\.exe|pwsh\.exe)") AND match(CommandLine, "(?i)(Remove-LocalUser|net user.*\/delete)")), "AccountDeleted",
    EventCode=4726, "AccountDeleted",
    EventCode=7036 AND match(Message, "(?i)service.*stopped"), "ServiceStopped",
    true(), ""
  )
| where detection_type!=""
| eval process_info=coalesce(Image, "N/A")
| eval cmdline=coalesce(CommandLine, ParentCommandLine, Message, "N/A")
| eval registry_target=coalesce(TargetObject, "N/A")
| eval user=coalesce(User, SubjectUserName, "N/A")
| table _time, host, user, detection_type, process_info, cmdline, registry_target, EventCode, ParentImage, ParentCommandLine
| sort - _time

high severity medium confidence

Data Sources

Windows Registry: Registry Key Deletion (Sysmon 12/13) Process: Process Creation (Sysmon 1) User Account: User Account Deletion (Security 4726) Windows System: Service State Change (System 7036)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security WinEventLog:System

False Positives

Software uninstallers legitimately removing their own Run/RunOnce registry entries during uninstallation
IT administrators removing stale scheduled tasks, services, or user accounts during routine maintenance
Endpoint security or patch management tools (SCCM, Intune, PDQ Deploy) that clean up their own persistence entries after completing tasks
Software update processes removing old service entries before reinstalling with new configuration
Group Policy processing removing or updating startup registry entries during policy refresh

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "EventID",
  "CommandLine",
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  "TargetObject" AS registry_target,
  CASE
    WHEN "EventID" IN ('12','13') AND ("TargetObject" ILIKE '%CurrentVersion\\Run%' OR "TargetObject" ILIKE '%CurrentControlSet\\Services%' OR "TargetObject" ILIKE '%Winlogon%' OR "TargetObject" ILIKE '%Image File Execution Options%' OR "TargetObject" ILIKE '%TaskCache%') AND ("EventType" ILIKE '%DeleteKey%' OR "EventType" ILIKE '%DeleteValue%') THEN 'PersistenceRegistryDeleted'
    WHEN "EventID" = '1' AND "Image" ILIKE '%sc.exe' AND ("CommandLine" ILIKE '%delete%' OR "CommandLine" ILIKE '%stop%') THEN 'ServiceDeletion'
    WHEN "EventID" = '1' AND ("Image" ILIKE '%powershell.exe' OR "Image" ILIKE '%pwsh.exe') AND ("CommandLine" ILIKE '%Remove-Service%' OR "CommandLine" ILIKE '%Unregister-ScheduledTask%' OR "CommandLine" ILIKE '%sc.exe delete%') THEN 'ServiceOrTaskDeletion'
    WHEN "EventID" = '1' AND "Image" ILIKE '%schtasks.exe' AND "CommandLine" ILIKE '%/delete%' THEN 'ScheduledTaskDeleted'
    WHEN "EventID" = '1' AND ("Image" ILIKE '%net.exe' OR "Image" ILIKE '%net1.exe') AND "CommandLine" ILIKE '%user%' AND "CommandLine" ILIKE '%/delete%' THEN 'AccountDeleted'
    WHEN "EventID" = '4726' THEN 'AccountDeleted'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 385)  -- Sysmon, Windows Security
  AND LAST 24 HOURS
  AND (
    ("EventID" IN ('12','13') AND ("TargetObject" ILIKE '%CurrentVersion\\Run%' OR "TargetObject" ILIKE '%CurrentControlSet\\Services%' OR "TargetObject" ILIKE '%Winlogon%' OR "TargetObject" ILIKE '%Image File Execution Options%' OR "TargetObject" ILIKE '%TaskCache%'))
    OR ("EventID" = '1' AND "Image" ILIKE '%sc.exe' AND ("CommandLine" ILIKE '%delete%' OR "CommandLine" ILIKE '%stop%'))
    OR ("EventID" = '1' AND ("Image" ILIKE '%powershell.exe' OR "Image" ILIKE '%pwsh.exe') AND ("CommandLine" ILIKE '%Remove-Service%' OR "CommandLine" ILIKE '%Unregister-ScheduledTask%' OR "CommandLine" ILIKE '%schtasks%delete%' OR "CommandLine" ILIKE '%Remove-LocalUser%'))
    OR ("EventID" = '1' AND "Image" ILIKE '%schtasks.exe' AND "CommandLine" ILIKE '%/delete%')
    OR ("EventID" = '1' AND ("Image" ILIKE '%net.exe' OR "Image" ILIKE '%net1.exe') AND "CommandLine" ILIKE '%user%' AND "CommandLine" ILIKE '%/delete%')
    OR "EventID" = '4726'
  )
ORDER BY devicetime DESC

high severity high confidence

Data Sources

Sysmon (EventID 1, 12, 13) Windows Security Log (EventID 4726) Windows System Log

Required Tables

events

False Positives

Automated software deployment tools removing startup registry entries after installation phase completes
Security hardening scripts that remove unnecessary scheduled tasks and services as part of CIS benchmark remediation
Help desk staff using net.exe to delete temporary or test accounts created for troubleshooting sessions

Sumo Logic CSE

sql

_sourceCategory=windows* ("EventCode=12" OR "EventCode=13" OR "EventCode=1" OR "EventCode=4726" OR "EventCode=7036")
| parse "EventCode=*" as event_code nodrop
| parse "Image=*\n" as process_image nodrop
| parse "CommandLine=*\n" as command_line nodrop
| parse "ParentImage=*\n" as parent_image nodrop
| parse "TargetObject=*\n" as registry_target nodrop
| parse "User=*\n" as user nodrop
| parse "SubjectUserName=*\n" as subject_user nodrop
| parse "EventType=*\n" as event_type nodrop
| where (
    /* Sysmon registry deletion in persistence paths */
    (event_code in ("12","13") and
     (registry_target matches "*CurrentVersion\\Run*" or
      registry_target matches "*CurrentVersion\\RunOnce*" or
      registry_target matches "*Winlogon*" or
      registry_target matches "*Image File Execution Options*" or
      registry_target matches "*CurrentControlSet\\Services*" or
      registry_target matches "*Explorer\\Shell Folders*" or
      registry_target matches "*Schedule\\TaskCache*") and
     (event_type matches "*DeleteKey*" or event_type matches "*DeleteValue*"))
    or
    /* Service deletion via sc.exe */
    (event_code = "1" and process_image matches "*sc.exe" and
     (command_line matches "*delete*" or command_line matches "* stop *"))
    or
    /* PowerShell persistence cleanup */
    (event_code = "1" and (process_image matches "*powershell.exe" or process_image matches "*pwsh.exe") and
     (command_line matches "*Remove-Service*" or command_line matches "*Unregister-ScheduledTask*" or
      command_line matches "*sc.exe delete*" or command_line matches "*Remove-LocalUser*" or
      command_line matches "*schtasks*delete*"))
    or
    /* schtasks deletion */
    (event_code = "1" and process_image matches "*schtasks.exe" and command_line matches "*/delete*")
    or
    /* net.exe account deletion */
    (event_code = "1" and (process_image matches "*net.exe" or process_image matches "*net1.exe") and
     command_line matches "*user*" and command_line matches "*/delete*")
    or
    /* Security event account deleted */
    event_code = "4726"
  )
| eval detection_type = if(event_code in ("12","13"), "PersistenceRegistryDeleted",
    if(event_code = "1" and process_image matches "*sc.exe", "ServiceDeletion",
    if(event_code = "1" and process_image matches "*schtasks.exe", "ScheduledTaskDeleted",
    if(event_code = "1" and (process_image matches "*net.exe" or process_image matches "*net1.exe"), "AccountDeleted",
    if(event_code = "4726", "AccountDeleted",
    if(event_code = "1" and (process_image matches "*powershell.exe" or process_image matches "*pwsh.exe"), "PowerShellPersistenceCleanup",
    "Unknown"))))))
| eval resolved_user = if(!isNull(user) and user != "", user, subject_user)
| table _messageTime, host, resolved_user, detection_type, process_image, command_line, registry_target, parent_image, event_code
| sort by _messageTime asc

high severity high confidence

Data Sources

Windows Sysmon (Operational) Windows Security Event Log Windows System Event Log

Required Tables

_sourceCategory=windows*

False Positives

Application uninstallers legitimately removing their own Run key entries and scheduled tasks during software removal
Configuration management tools such as Ansible or Puppet enforcing service state by deleting unneeded services
System administrators performing account lifecycle management by removing onboarding or service accounts

Google Chronicle / SecOps

yaral

rule t1070_009_clear_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1070.009 - Clear Persistence: removal of registry persistence keys, services, scheduled tasks, or user accounts"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.009"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"

  events:
    (
      /* Registry deletion in persistence key paths */
      (
        $e.metadata.event_type = "REGISTRY_DELETION" and
        (
          re.regex($e.target.registry.registry_key, `(?i)(SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options|SYSTEM\\CurrentControlSet\\Services|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache)`) = true
        )
      )
      or
      /* Service deletion via sc.exe */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.principal.process.file.full_path, `(?i)sc\.exe$`) = true and
        (
          re.regex($e.target.process.command_line, `(?i)(delete|stop)`) = true
        )
      )
      or
      /* PowerShell persistence cleanup */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`) = true and
        (
          re.regex($e.target.process.command_line, `(?i)(Remove-Service|Unregister-ScheduledTask|sc\.exe\s+delete|Remove-LocalUser|schtasks.*\/delete)`) = true
        )
      )
      or
      /* schtasks.exe deletion */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.principal.process.file.full_path, `(?i)schtasks\.exe$`) = true and
        re.regex($e.target.process.command_line, `(?i)\/delete`) = true
      )
      or
      /* net.exe account deletion */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.principal.process.file.full_path, `(?i)net1?\.exe$`) = true and
        re.regex($e.target.process.command_line, `(?i)user.*\/delete`) = true
      )
      or
      /* Windows Security Event 4726 - User Account Deleted */
      (
        $e.metadata.event_type = "USER_DELETION"
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(85)
    $hostname = array_distinct($e.principal.hostname)
    $user = array_distinct($e.principal.user.userid)
    $process = array_distinct($e.principal.process.file.full_path)
    $command = array_distinct($e.target.process.command_line)
    $registry_key = array_distinct($e.target.registry.registry_key)

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Sysmon via Chronicle Forwarder Windows Security Events via Chronicle Google Chronicle UDM

Required Tables

UDM Events (REGISTRY_DELETION, PROCESS_LAUNCH, USER_DELETION)

False Positives

Enterprise software deployment pipelines that remove Run key entries and scheduled tasks after software provisioning tasks complete
IT operations teams using PowerShell scripts to decommission Windows services and accounts during system retirement procedures
Endpoint security tools performing remediation after detecting malware, which includes cleaning persistence mechanisms

CrowdStrike LogScale (CQL)

cql

// T1070.009 - Clear Persistence Detection
// Registry deletion in persistence key locations
#event_simpleName = "AsepValueDelete" OR #event_simpleName = "RegKeyDelete"
| TargetPath = /SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options|SYSTEM\CurrentControlSet\Services|SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders|SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache/i
| eval DetectionType = "PersistenceRegistryDeleted"
| table timestamp, ComputerName, UserName, TargetPath, RegValueName, ImageFileName, CommandHistory, DetectionType

// Union with process-based detections
OR
(
  #event_simpleName = "ProcessRollup2"
  | (
      // sc.exe service deletion
      (ImageFileName = /\\sc\.exe$/i AND CommandLine = /(delete|stop)/i)
      // PowerShell persistence cleanup
      OR (ImageFileName = /(powershell\.exe|pwsh\.exe)$/i AND CommandLine = /(Remove-Service|Unregister-ScheduledTask|sc\.exe\s+delete|Remove-LocalUser|schtasks.*\/delete)/i)
      // schtasks deletion
      OR (ImageFileName = /\\schtasks\.exe$/i AND CommandLine = /\/delete/i)
      // net.exe account deletion
      OR (ImageFileName = /\\net1?\.exe$/i AND CommandLine = /user.*\/delete/i)
    )
  | eval DetectionType = case(
      ImageFileName = /\\sc\.exe$/i, "ServiceDeletion",
      ImageFileName = /\\schtasks\.exe$/i, "ScheduledTaskDeleted",
      ImageFileName = /\\net1?\.exe$/i, "AccountDeleted",
      ImageFileName = /(powershell\.exe|pwsh\.exe)$/i AND CommandLine = /(Unregister-ScheduledTask|schtasks)/i, "ScheduledTaskDeleted",
      ImageFileName = /(powershell\.exe|pwsh\.exe)$/i AND CommandLine = /(Remove-Service|sc\.exe)/i, "ServiceDeletion",
      ImageFileName = /(powershell\.exe|pwsh\.exe)$/i AND CommandLine = /Remove-LocalUser/i, "AccountDeleted",
      true(), "PersistenceCleanup"
    )
  | table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType
)
| sort timestamp desc
| groupBy([ComputerName, DetectionType], function=[
    count(as=event_count),
    collect([timestamp, UserName, ImageFileName, CommandLine, TargetPath], limit=20)
  ])

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (Sysmon-equivalent telemetry) Falcon AsepValueDelete events Falcon ProcessRollup2 events

Required Tables

#event_simpleName = AsepValueDelete #event_simpleName = RegKeyDelete #event_simpleName = ProcessRollup2

False Positives

Software uninstallers using sc.exe and schtasks.exe to remove their own services and scheduled tasks during legitimate removal
Windows system updates or Feature Updates removing deprecated scheduled tasks and ASEP registry entries as part of the upgrade process
Red team or penetration testing exercises running cleanup playbooks after simulated persistence establishment in authorized test environments

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1070.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Clear Persistence

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections