Detects attempts to clear RDP/network history and modify network configuration artifacts through command execution, registry key deletion, firewall rule changes, and suspicious file deletions (e.g., Default.rdp, registry edits to Terminal Server Client keys).
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4663 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | EDR:cli | Command Line Telemetry |
| Firewall Rule Modification (DC0051) | WinEventLog:Security | Firewall Rule Modification |
| Field | Description |
|---|---|
| TargetPathRegex | Filter file/registry paths like *\Terminal Server Client\* or *Default.rdp* |
| TimeWindow | Correlate command/registry edits within close proximity to suspicious connection activity |
| UserContext | Detect cleanup behavior from non-interactive or SYSTEM accounts |
Detects deletion or overwriting of logs/configs that store SSH or proxy activity, such as /var/log/auth.log or custom .bash_history clearing tied to SSH sessions or firewall rule changes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Modification (DC0061) | auditd:SYSCALL | PATH |
| Field | Description |
|---|---|
| CommandMatchPattern | Commands like `> /var/log/auth.log`, `rm ~/.bash_history`, `iptables -F` |
| LogPathFilter | Focus on /var/log/auth.log, /etc/ssh/, ~/.bash_history |
Detects removal of Remote Login or Screen Sharing logs in Unified Logging, deletion of com.apple.UTun, or suspicious Terminal use of rm, sudo pfctl -F all to clear network state/config history.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | log stream --predicate 'eventMessage contains "loginwindow" or "pfctl"' |
| File Modification (DC0061) | macos:osquery | file_events |
| Field | Description |
|---|---|
| FilenameMatch | e.g., *com.apple.UTun*, *RemoteManagement* log files |
| TimeDeltaFromLogin | Correlate deletion with recent SSH or GUI remote login session |
Detects firewall rule modifications or reset of logs/connection tables (e.g., clear logging, erase startup-config, write erase) following remote access activity on routers, switches, or VPN appliances.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:syslog | Command Audit / Configuration Change |
| Network Traffic Content (DC0085) | NSM:Flow | Session History Reset |
| Field | Description |
|---|---|
| CommandPattern | e.g., `clear logging`, `no logging buffered`, `no ip domain-lookup` |
| DeviceTypeFilter | Switches vs VPN vs routers |