Detect Clear Persistence in Google Chronicle
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, modifying the registry, or other cleanup methods to prevent defenders from collecting evidence of their persistent presence. Adversaries may also delete accounts previously created to maintain persistence. In some instances, artifacts of persistence may be removed once an adversary's persistence executes in order to prevent errors with the new instance of the malware.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.009 Clear Persistence
- Canonical reference
- https://attack.mitre.org/techniques/T1070/009/
YARA-L Detection Query
rule t1070_009_clear_persistence {
meta:
author = "Argus Detection Engineering"
description = "Detects T1070.009 - Clear Persistence: removal of registry persistence keys, services, scheduled tasks, or user accounts"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1070.009"
severity = "HIGH"
confidence = "HIGH"
created = "2026-04-13"
events:
(
/* Registry deletion in persistence key paths */
(
$e.metadata.event_type = "REGISTRY_DELETION" and
(
re.regex($e.target.registry.registry_key, `(?i)(SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options|SYSTEM\\CurrentControlSet\\Services|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache)`) = true
)
)
or
/* Service deletion via sc.exe */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.principal.process.file.full_path, `(?i)sc\.exe$`) = true and
(
re.regex($e.target.process.command_line, `(?i)(delete|stop)`) = true
)
)
or
/* PowerShell persistence cleanup */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`) = true and
(
re.regex($e.target.process.command_line, `(?i)(Remove-Service|Unregister-ScheduledTask|sc\.exe\s+delete|Remove-LocalUser|schtasks.*\/delete)`) = true
)
)
or
/* schtasks.exe deletion */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.principal.process.file.full_path, `(?i)schtasks\.exe$`) = true and
re.regex($e.target.process.command_line, `(?i)\/delete`) = true
)
or
/* net.exe account deletion */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.principal.process.file.full_path, `(?i)net1?\.exe$`) = true and
re.regex($e.target.process.command_line, `(?i)user.*\/delete`) = true
)
or
/* Windows Security Event 4726 - User Account Deleted */
(
$e.metadata.event_type = "USER_DELETION"
)
)
match:
$e.principal.hostname over 5m
outcome:
$risk_score = max(85)
$hostname = array_distinct($e.principal.hostname)
$user = array_distinct($e.principal.user.userid)
$process = array_distinct($e.principal.process.file.full_path)
$command = array_distinct($e.target.process.command_line)
$registry_key = array_distinct($e.target.registry.registry_key)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1070.009 Clear Persistence by monitoring UDM registry deletion events in known Windows persistence key paths, process launch events for sc.exe, schtasks.exe, net.exe, and PowerShell with persistence-clearing arguments, and USER_DELETION events corresponding to Windows Security Event 4726.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment pipelines that remove Run key entries and scheduled tasks after software provisioning tasks complete
- IT operations teams using PowerShell scripts to decommission Windows services and accounts during system retirement procedures
- Endpoint security tools performing remediation after detecting malware, which includes cleaning persistence mechanisms
Other platforms for T1070.009
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Delete Registry Run Key Persistence Entry
Expected signal: Sysmon Event ID 12: RegistryEvent (Object Create/Delete) with TargetObject=HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ArgusTestPersistence, EventType=DeleteValue. Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'delete' and 'ArgusTestPersistence'. Security Event ID 4688 (if command line auditing enabled) for reg.exe process creation.
- Test 2Malicious Service Creation and Self-Deletion
Expected signal: System Event ID 7045: New Service Installed (ArgusTestSvc). System Event ID 7036: Service state changes (running, stopped). Sysmon Event ID 1: Multiple process creation events for sc.exe with arguments 'create', 'start', 'stop', 'delete'. Registry: HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestSvc key created then deleted (Sysmon Event ID 12). Security Event ID 4697: Service was installed in the system.
- Test 3Scheduled Task Self-Deletion
Expected signal: Microsoft-Windows-TaskScheduler/Operational Event ID 106: Task Registered (ArgusTestTask). Event ID 141: Task Deleted (ArgusTestTask). Sysmon Event ID 1: Process Create events for schtasks.exe with '/create' then '/delete /tn ArgusTestTask /f'. Registry changes under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache (Sysmon Event ID 12/13).
- Test 4IFEO Registry Key Deletion (SUNBURST-style Cleanup)
Expected signal: Sysmon Event ID 13: RegistryEvent (Value Set) for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe with value Debugger. Sysmon Event ID 12: RegistryEvent (Object Delete) for the same key after deletion. Sysmon Event ID 1: reg.exe process with command line containing 'Image File Execution Options' and 'Debugger'. Security Event ID 4688 for reg.exe execution.
- Test 5Local User Account Deletion (S-Type/Dust Storm Cleanup)
Expected signal: Security Event ID 4720: User Account Created (TargetUserName=ArgusTestUser). Security Event ID 4726: User Account Deleted (TargetUserName=ArgusTestUser). Sysmon Event ID 1: Two net.exe process creation events — one with '/add' and one with '/delete'. Security Event ID 4688 (if command line auditing enabled) for net.exe executions.
References (11)
- https://attack.mitre.org/techniques/T1070/009/
- https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf
- https://blog.talosintelligence.com/recent-cyber-attack/
- https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://www.secureworks.com/research/mcmd-malware-analysis
- https://sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1070.009 including response playbook, investigation guide, and atomic red team tests.