AN0113: Analytic 0113

Detects adversary activity that removes persistence artifacts such as services, registry keys, scheduled tasks, user accounts, and binaries through commands like `sc delete`, `schtasks /delete`, or `reg delete`.

EnterpriseAN0113AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is about spotting Windows activity where persistence-related artifacts are removed, such as services, registry keys, scheduled tasks, user accounts, or binaries. For leaders, the value is not that deletion is always malicious; it is that sudden removal of persistence mechanisms can be part of attacker cleanup, post-compromise tradecraft, or incident activity that affects evidence preservation and response decisions.

Executive priority

Prioritize this as an incident response and audit-evidence question: can the organization prove when high-risk Windows persistence artifacts were deleted, by whom, from which host, and under what change context? This matters for business continuity because service, task, account, and registry deletion can disrupt operations or erase evidence needed to determine incident scope. It also helps security leaders validate whether SOC logging and endpoint controls support post-compromise investigation, not just initial detection.

Technical view

For Windows environments, validate visibility into commands and process activity associated with removal of persistence artifacts, including examples named by ATT&CK such as `sc delete`, `schtasks /delete`, and `reg delete`. Because the official object does not provide a detection query or relationship mappings, teams should treat this as a detection design requirement: correlate deletion commands with user context, parent process, host role, recent administrative change windows, and the targeted artifact type. SOC and IR teams should distinguish routine administration or software uninstall activity from suspicious deletion on sensitive systems, unusual accounts, or hosts already involved in an investigation.

Likely telemetry

Windows process creation telemetry with command-line arguments
Endpoint detection and response process and file activity
Windows service creation/deletion or service control activity where available
Scheduled task operational or security logs
Registry modification/deletion telemetry

Detection direction

Confirm collection of command-line arguments for Windows process execution; without arguments, commands such as `sc`, `schtasks`, and `reg` are much less useful analytically.
Tune for deletion of persistence-relevant artifacts rather than generic deletion alone, since legitimate administrators and uninstallers commonly remove services, tasks, registry keys, accounts, and files.
Correlate artifact removal with initiating user, parent process, remote execution context, host criticality, and recent alerts on the same endpoint.
Review deletion activity outside approved maintenance windows or by non-standard administrative accounts.
Preserve event and endpoint history during investigations, since this behavior may remove artifacts that responders need for scoping.

Mitigation priorities

Ensure Windows endpoint logging and EDR policies capture process command lines, registry changes, scheduled task changes, service changes, account changes, and relevant file deletions.
Restrict administrative privileges so only approved roles can delete services, scheduled tasks, registry persistence locations, user accounts, or persistence-related binaries.
Use change-management records to separate authorized maintenance from suspicious cleanup activity.
Protect and retain security logs centrally so local artifact deletion does not remove investigative evidence.
During incident response, prioritize preservation of affected hosts and telemetry before remediation steps overwrite evidence.

Analyst notes and limits

The object is a detection analytic for Windows and describes removal of persistence artifacts using commands such as `sc delete`, `schtasks /delete`, and `reg delete`. No ATT&CK tactics, related techniques, detection logic, or relationships were supplied, so this take focuses on defensive validation and evidence readiness rather than a specific adversary procedure.

Official detection content is not provided, and no relationship context is supplied. This means local implementation requires environment-specific baselining, artifact definitions, and false-positive handling. The supplied fields support Windows only and do not support claims about active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0113

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 17314c62d261fc50...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`17314c62d261…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0113
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use