Threat Actors may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence. Threat Actors may also delete accounts previously created to maintain persistence (i.e. Create Account).
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.