title: Clear Persistence (T1070.009)
id: df00tech-t1070-009
status: experimental
description: "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, modifying the registry, or other cleanup methods to prevent defenders from collecting evidence of their persistent presence. Adversaries may also delete accounts previously created to maintain persistence. In some instances, artifacts of persistence may be removed once an adversary's persistence executes in order to prevent errors with the new instance of the malware."
references:
  - https://attack.mitre.org/techniques/T1070/009/
  - https://df00tech.com/detections/T1070.009
author: df00tech
date: 2026/04/13
tags:
  - attack.t1070.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software uninstallers legitimately removing their own Run/RunOnce registry entries during uninstallation
  - "IT administrators removing stale scheduled tasks, services, or user accounts during routine maintenance"
  - "Endpoint security or patch management tools (SCCM, Intune, PDQ Deploy) that clean up their own persistence entries after completing tasks"
  - "System cleanup tools (CCleaner, Windows built-in Disk Cleanup) removing startup entries as part of optimization"
  - Group Policy processing removing or updating startup registry entries during policy refresh
level: high