Detect Clear Persistence in Sumo Logic CSE
Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, modifying the registry, or other cleanup methods to prevent defenders from collecting evidence of their persistent presence. Adversaries may also delete accounts previously created to maintain persistence. In some instances, artifacts of persistence may be removed once an adversary's persistence executes in order to prevent errors with the new instance of the malware.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.009 Clear Persistence
- Canonical reference
- https://attack.mitre.org/techniques/T1070/009/
Sumo Detection Query
_sourceCategory=windows* ("EventCode=12" OR "EventCode=13" OR "EventCode=1" OR "EventCode=4726" OR "EventCode=7036")
| parse "EventCode=*" as event_code nodrop
| parse "Image=*\n" as process_image nodrop
| parse "CommandLine=*\n" as command_line nodrop
| parse "ParentImage=*\n" as parent_image nodrop
| parse "TargetObject=*\n" as registry_target nodrop
| parse "User=*\n" as user nodrop
| parse "SubjectUserName=*\n" as subject_user nodrop
| parse "EventType=*\n" as event_type nodrop
| where (
/* Sysmon registry deletion in persistence paths */
(event_code in ("12","13") and
(registry_target matches "*CurrentVersion\\Run*" or
registry_target matches "*CurrentVersion\\RunOnce*" or
registry_target matches "*Winlogon*" or
registry_target matches "*Image File Execution Options*" or
registry_target matches "*CurrentControlSet\\Services*" or
registry_target matches "*Explorer\\Shell Folders*" or
registry_target matches "*Schedule\\TaskCache*") and
(event_type matches "*DeleteKey*" or event_type matches "*DeleteValue*"))
or
/* Service deletion via sc.exe */
(event_code = "1" and process_image matches "*sc.exe" and
(command_line matches "*delete*" or command_line matches "* stop *"))
or
/* PowerShell persistence cleanup */
(event_code = "1" and (process_image matches "*powershell.exe" or process_image matches "*pwsh.exe") and
(command_line matches "*Remove-Service*" or command_line matches "*Unregister-ScheduledTask*" or
command_line matches "*sc.exe delete*" or command_line matches "*Remove-LocalUser*" or
command_line matches "*schtasks*delete*"))
or
/* schtasks deletion */
(event_code = "1" and process_image matches "*schtasks.exe" and command_line matches "*/delete*")
or
/* net.exe account deletion */
(event_code = "1" and (process_image matches "*net.exe" or process_image matches "*net1.exe") and
command_line matches "*user*" and command_line matches "*/delete*")
or
/* Security event account deleted */
event_code = "4726"
)
| eval detection_type = if(event_code in ("12","13"), "PersistenceRegistryDeleted",
if(event_code = "1" and process_image matches "*sc.exe", "ServiceDeletion",
if(event_code = "1" and process_image matches "*schtasks.exe", "ScheduledTaskDeleted",
if(event_code = "1" and (process_image matches "*net.exe" or process_image matches "*net1.exe"), "AccountDeleted",
if(event_code = "4726", "AccountDeleted",
if(event_code = "1" and (process_image matches "*powershell.exe" or process_image matches "*pwsh.exe"), "PowerShellPersistenceCleanup",
"Unknown"))))))
| eval resolved_user = if(!isNull(user) and user != "", user, subject_user)
| table _messageTime, host, resolved_user, detection_type, process_image, command_line, registry_target, parent_image, event_code
| sort by _messageTime ascSumo Logic detection for T1070.009 parsing Sysmon and Windows Security events to identify persistence artifact removal including registry key/value deletions in Run keys, service deletion via sc.exe or PowerShell, scheduled task removal, and account deletion via net.exe or Event 4726.
Data Sources
Required Tables
False Positives & Tuning
- Application uninstallers legitimately removing their own Run key entries and scheduled tasks during software removal
- Configuration management tools such as Ansible or Puppet enforcing service state by deleting unneeded services
- System administrators performing account lifecycle management by removing onboarding or service accounts
Other platforms for T1070.009
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Delete Registry Run Key Persistence Entry
Expected signal: Sysmon Event ID 12: RegistryEvent (Object Create/Delete) with TargetObject=HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ArgusTestPersistence, EventType=DeleteValue. Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'delete' and 'ArgusTestPersistence'. Security Event ID 4688 (if command line auditing enabled) for reg.exe process creation.
- Test 2Malicious Service Creation and Self-Deletion
Expected signal: System Event ID 7045: New Service Installed (ArgusTestSvc). System Event ID 7036: Service state changes (running, stopped). Sysmon Event ID 1: Multiple process creation events for sc.exe with arguments 'create', 'start', 'stop', 'delete'. Registry: HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestSvc key created then deleted (Sysmon Event ID 12). Security Event ID 4697: Service was installed in the system.
- Test 3Scheduled Task Self-Deletion
Expected signal: Microsoft-Windows-TaskScheduler/Operational Event ID 106: Task Registered (ArgusTestTask). Event ID 141: Task Deleted (ArgusTestTask). Sysmon Event ID 1: Process Create events for schtasks.exe with '/create' then '/delete /tn ArgusTestTask /f'. Registry changes under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache (Sysmon Event ID 12/13).
- Test 4IFEO Registry Key Deletion (SUNBURST-style Cleanup)
Expected signal: Sysmon Event ID 13: RegistryEvent (Value Set) for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe with value Debugger. Sysmon Event ID 12: RegistryEvent (Object Delete) for the same key after deletion. Sysmon Event ID 1: reg.exe process with command line containing 'Image File Execution Options' and 'Debugger'. Security Event ID 4688 for reg.exe execution.
- Test 5Local User Account Deletion (S-Type/Dust Storm Cleanup)
Expected signal: Security Event ID 4720: User Account Created (TargetUserName=ArgusTestUser). Security Event ID 4726: User Account Deleted (TargetUserName=ArgusTestUser). Sysmon Event ID 1: Two net.exe process creation events — one with '/add' and one with '/delete'. Security Event ID 4688 (if command line auditing enabled) for net.exe executions.
References (11)
- https://attack.mitre.org/techniques/T1070/009/
- https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf
- https://blog.talosintelligence.com/recent-cyber-attack/
- https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://www.secureworks.com/research/mcmd-malware-analysis
- https://sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1070.009 including response playbook, investigation guide, and atomic red team tests.