DET0040: Detection of Persistence Artifact Removal Across Host Platforms
DET0040 is a MITRE detection strategy for finding when an adversary removes artifacts tied to persistence. The business significance is evidence preservati...
Analyst context for executives and security teams
DET0040 is a MITRE detection strategy for finding when an adversary removes artifacts tied to persistence. The business significance is evidence preservation: if persistence cleanup is missed, teams may underestimate how long an intruder had access, whether access can be re-established, and what systems require deeper recovery work.
Executive priority
Prioritize this as an incident-readiness and resilience question: can the organization prove when persistence was created, changed, or removed across host platforms associated with the related ATT&CK technique, including ESXi, Linux, macOS, and Windows? Leaders should ask whether SOC and IR teams retain enough host evidence to reconstruct persistence cleanup during an investigation, not just alert on active persistence.
Technical view
This detection strategy is mapped to T1070.009 Clear Persistence, a stealth behavior involving removal of persistence artifacts such as services, executables, registry modifications, plist changes, or other cleanup activity. Because the official detection text and platform field for DET0040 are not provided, teams should validate coverage using the related technique context: host-level monitoring for deletion or modification of known persistence locations and artifacts across supported environments, with special attention to actions that occur after suspected persistence establishment.
Likely telemetry
- Endpoint process execution and command-line records
- File creation, modification, and deletion events for persistence-related paths and binaries
- Windows service creation, modification, and deletion events
- Windows Registry modification and deletion events
- macOS plist modification or deletion events
Detection direction
- Validate that logging captures removal as well as creation of persistence artifacts; many programs focus on persistence installation but under-collect cleanup evidence.
- Correlate artifact deletion or configuration rollback with earlier persistence-related changes on the same host or account.
- Tune for administrative maintenance noise, software uninstallers, patching, and configuration management activity that can legitimately remove services, executables, registry keys, or plist entries.
- Review retention windows: this behavior is material when evidence disappears before responders can collect it.
- Use relationship context from T1070.009 to prioritize stealth-oriented cleanup activity across ESXi, Linux, macOS, and Windows, while noting that DET0040 itself does not specify platforms.
Mitigation priorities
- Ensure incident response procedures preserve endpoint, configuration, and audit evidence quickly when persistence is suspected.
- Strengthen host logging and EDR/audit coverage for changes to persistence mechanisms, including deletions and reversions.
- Maintain baselines or inventories of authorized services, startup items, registry keys, plist files, and relevant host configuration so removals can be assessed in context.
- Limit and monitor administrative permissions that can remove persistence artifacts or erase investigative evidence.
- Test detection content with benign administrative change scenarios to reduce false positives while confirming that suspicious cleanup remains visible.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection text. The practical interpretation is derived from its relationship to T1070.009 Clear Persistence and that technique’s supplied description and platforms. Treat this as guidance for coverage validation, not as proof of existing detection efficacy.
No official DET0040 detection logic, data sources, platforms, tactics, or detailed analytic criteria were supplied. Local environment architecture, host logging configuration, EDR capability, retention, and administrative workflows are required to determine actual coverage and alert quality.
Detection of Persistence Artifact Removal Across Host Platforms
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.009 | Clear Persistence Sub-technique | This object detects Clear Persistence. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2aea3fa4c356… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0040Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.