T1070.009 Microsoft Sentinel · KQL

Detect Clear Persistence in Microsoft Sentinel

Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, modifying the registry, or other cleanup methods to prevent defenders from collecting evidence of their persistent presence. Adversaries may also delete accounts previously created to maintain persistence. In some instances, artifacts of persistence may be removed once an adversary's persistence executes in order to prevent errors with the new instance of the malware.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.009 Clear Persistence
Canonical reference
https://attack.mitre.org/techniques/T1070/009/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let PersistenceRegistryKeys = dynamic([
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx",
  "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
  "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
  "SYSTEM\\CurrentControlSet\\Services",
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
  "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
  "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache"
]);
// Detection 1: Registry key deletion in persistence locations
let RegistryDeletions = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryKeyDeleted" or ActionType == "RegistryValueDeleted"
| where RegistryKey has_any (PersistenceRegistryKeys)
| extend DetectionType = "PersistenceRegistryDeleted"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId,
          InitiatingProcessParentFileName, DetectionType;
// Detection 2: Service deletion via sc.exe or PowerShell
let ServiceDeletion = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "sc.exe" and ProcessCommandLine has_any ("delete", "stop")) or
    (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") and ProcessCommandLine has_any ("Remove-Service", "sc.exe delete", "Stop-Service") or
    (FileName =~ "cmd.exe" and ProcessCommandLine has "sc" and ProcessCommandLine has "delete")
  )
| extend DetectionType = "ServiceDeletion"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 3: Scheduled task deletion
let TaskDeletion = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "schtasks.exe" and ProcessCommandLine has "/delete") or
    (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") and ProcessCommandLine has_any ("Unregister-ScheduledTask", "schtasks /delete")
  )
| extend DetectionType = "ScheduledTaskDeleted"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 4: User account deletion
let AccountDeletion = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "net.exe" or FileName =~ "net1.exe") and ProcessCommandLine has "user" and ProcessCommandLine has "/delete" or
    (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") and ProcessCommandLine has_any ("Remove-LocalUser", "net user") and ProcessCommandLine has "/delete"
  )
| extend DetectionType = "AccountDeleted"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Combine all detections
union RegistryDeletions, ServiceDeletion, TaskDeletion, AccountDeletion
| sort by Timestamp desc
high severity medium confidence

Detects adversary attempts to clear previously established persistence mechanisms on Windows hosts. Covers four primary patterns: (1) deletion of registry values/keys in known persistence locations (Run, RunOnce, IFEO, Services, Winlogon), (2) service deletion via sc.exe or PowerShell, (3) scheduled task deletion via schtasks.exe or PowerShell cmdlets, and (4) local user account deletion. Uses DeviceRegistryEvents and DeviceProcessEvents tables from Microsoft Defender for Endpoint.

Data Sources

Windows Registry: Registry Key DeletionProcess: Process CreationScheduled Job: Scheduled Job ModificationUser Account: User Account DeletionMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEventsDeviceProcessEvents

False Positives & Tuning

  • Software uninstallers legitimately removing their own Run/RunOnce registry entries during uninstallation
  • IT administrators removing stale scheduled tasks, services, or user accounts during routine maintenance
  • Endpoint security or patch management tools (SCCM, Intune, PDQ Deploy) that clean up their own persistence entries after completing tasks
  • System cleanup tools (CCleaner, Windows built-in Disk Cleanup) removing startup entries as part of optimization
  • Group Policy processing removing or updating startup registry entries during policy refresh
Download portable Sigma rule (.yml)

Other platforms for T1070.009

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Delete Registry Run Key Persistence Entry

    Expected signal: Sysmon Event ID 12: RegistryEvent (Object Create/Delete) with TargetObject=HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ArgusTestPersistence, EventType=DeleteValue. Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'delete' and 'ArgusTestPersistence'. Security Event ID 4688 (if command line auditing enabled) for reg.exe process creation.

  2. Test 2Malicious Service Creation and Self-Deletion

    Expected signal: System Event ID 7045: New Service Installed (ArgusTestSvc). System Event ID 7036: Service state changes (running, stopped). Sysmon Event ID 1: Multiple process creation events for sc.exe with arguments 'create', 'start', 'stop', 'delete'. Registry: HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestSvc key created then deleted (Sysmon Event ID 12). Security Event ID 4697: Service was installed in the system.

  3. Test 3Scheduled Task Self-Deletion

    Expected signal: Microsoft-Windows-TaskScheduler/Operational Event ID 106: Task Registered (ArgusTestTask). Event ID 141: Task Deleted (ArgusTestTask). Sysmon Event ID 1: Process Create events for schtasks.exe with '/create' then '/delete /tn ArgusTestTask /f'. Registry changes under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache (Sysmon Event ID 12/13).

  4. Test 4IFEO Registry Key Deletion (SUNBURST-style Cleanup)

    Expected signal: Sysmon Event ID 13: RegistryEvent (Value Set) for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe with value Debugger. Sysmon Event ID 12: RegistryEvent (Object Delete) for the same key after deletion. Sysmon Event ID 1: reg.exe process with command line containing 'Image File Execution Options' and 'Debugger'. Security Event ID 4688 for reg.exe execution.

  5. Test 5Local User Account Deletion (S-Type/Dust Storm Cleanup)

    Expected signal: Security Event ID 4720: User Account Created (TargetUserName=ArgusTestUser). Security Event ID 4726: User Account Deleted (TargetUserName=ArgusTestUser). Sysmon Event ID 1: Two net.exe process creation events — one with '/add' and one with '/delete'. Security Event ID 4688 (if command line auditing enabled) for net.exe executions.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1070.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.010Relocate Malware

Related Techniques

T1070Indicator RemovalT1070.001Clear Windows Event LogsT1070.004File DeletionT1543.003Windows ServiceT1547.001Registry Run Keys / Startup FolderT1053.005Scheduled TaskT1136.001Local AccountT1112Modify RegistryT1564.001Hidden Files and Directories

Same Tactic: Defense Evasion

Popular Detections