T1070.007: Clear Network Connection History and Configurations
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under :
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\DefaultHKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
Windows may also store information about recent RDP connections in files such as C:\Users\%username%\Documents\Default.rdp and C:\Users\%username%\AppData\Local\Microsoft\Terminal Server Client\Cache\. Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).
Malicious network connections may also require changes to third-party applications or network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-2444: RDP_Connection_History_Removal: An attacker can clear or edit the history of RDP connections by deleting or changing the corresponding registry entries or the Default.rdp configuration file unix_mitre_attck_defense_evasion: PT-CR-440: Unix_Log_Config_Modify: Audit daemon configuration file change network_devices_compromise: PT-CR-1820: S_Terra_Gate_Erase_Config: A configuration file is cleared
Detection
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor created processes with arguments that may delete or alter malicious network configuration settings as well as generated artifacts that highlight network connection history on a host system -- which may include logs, files, or Registry values. |
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor for changes to Registry keys (ex: |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may delete or alter malicious network configuration settings as well as generated artifacts on a host system, including logs and files such as |
|---|
| ID | DS0018 | Data source and component | Firewall: Firewall Rule Modification | Description | Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic. |
|---|
| ID | DS0022 | Data source and component | File: File Modification | Description | Monitor changes to files that may be indicators of deleting or altering malicious network configuration settings as well as generated artifacts on a host system that highlight network connection history, such as |
|---|
Mitigation
| ID | M1029 | Name | Remote Data Storage | Description | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
|---|
| ID | M1024 | Name | Restrict Registry Permissions | Description | Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
|---|