Indicator Removal:  Clear Persistence

Misdat is capable of deleting Registry keys used for persistence.(Citation: Cylance Dust Storm)

Raspberry Robin uses a RunOnce Registry key for persistence, where the key is removed after its use on reboot then re-added by the malware after it resumes execution.(Citation: Microsoft RaspberryRobin 2022)

S-Type has deleted accounts it has created.(Citation: Cylance Dust Storm)

RTM has the ability to remove Registry entries that it created for persistence.(Citation: ESET RTM Feb 2017)

MCMD has the ability to remove set Registry Keys, including those used for persistence.(Citation: Secureworks MCMD July 2019)

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.(Citation: NCC Group Team9 June 2020)

Kapeka will clear registry values used for persistent configuration storage when uninstalled.(Citation: WithSecure Kapeka 2024)

SUNBURST removed IFEO registry values to clean up traces of persistence.(Citation: Microsoft Deep Dive Solorigate January 2021)

IPsec Helper can delete various service traces related to persistent execution when commanded.(Citation: SentinelOne Agrius 2021)

Pillowmint can uninstall the malicious service from an infected machine.(Citation: Trustwave Pillowmint June 2020)

GrimAgent can delete previously created tasks on a compromised host.(Citation: Group IB GrimAgent July 2021)

njRAT is capable of manipulating and deleting registry keys, including those used for persistence.(Citation: Trend Micro njRAT 2018)

KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.(Citation: MalwareBytes LazyScripter Feb 2021)

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files. Enforce Least Privilege Permissions: - Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles. Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs. Harden File Shares: - Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows. Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access. On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf` File Integrity Monitoring (FIM): - Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions. Audit File System Access: - Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities. Restrict Startup Directories: - Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`. Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`. - On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data. This mitigation can be implemented through the following measures: Centralized Log Management: - Configure endpoints to forward security logs to a centralized log collector or SIEM. - Use tools like Splunk Graylog, or Security Onion to aggregate and store logs. - Example command (Linux): `sudo auditd | tee /var/log/audit/audit.log | nc 514` Remote File Storage Solutions: - Utilize cloud storage solutions like AWS S3, Google Cloud Storage, or Azure Blob Storage for sensitive data. - Ensure proper encryption at rest and access control policies (IAM roles, ACLs). Intrusion Detection Log Forwarding: - Forward logs from IDS/IPS systems (e.g., Zeek/Suricata) to a remote security information system. - Example for Suricata log forwarding: `outputs: - type: syslog protocol: tls address: ` Immutable Backup Configurations: - Enable immutable storage settings for backups to prevent adversaries from modifying or deleting data. - Example: AWS S3 Object Lock. Data Encryption: - Ensure encryption for sensitive data using AES-256 at rest and TLS 1.2+ for data in transit. Tools: OpenSSL, BitLocker, LUKS for Linux.