| ID | Name |
|---|---|
| T1070.001 | Clear Windows Event Logs |
| T1070.002 | Clear Linux or Mac System Logs |
| T1070.003 | Clear Command History |
| T1070.004 | File Deletion |
| T1070.005 | Network Share Connection Removal |
| T1070.006 | Timestomp |
| T1070.007 | Clear Network Connection History and Configurations |
| T1070.008 | Clear Mailbox Data |
| T1070.009 | Clear Persistence |
| T1070.010 | Relocate Malware |
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under [1]:
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\DefaultHKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\ServersWindows may also store information about recent RDP connections in files such as C:\Users\%username%\Documents\Default.rdp and C:\Users\%username%\AppData\Local\Microsoft\TerminalServer Client\Cache\.[2] Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).[3][4][5]
Malicious network connections may also require changes to third-party applications or network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
| ID | Name | Description |
|---|---|---|
| S0559 | SUNBURST |
SUNBURST also removed the firewall rules it created during execution.[6] |
| G1017 | Volt Typhoon |
Volt Typhoon has inspected server logs to remove their IPs.[7] |
| ID | Mitigation | Description |
|---|---|---|
| M1029 | Remote Data Storage |
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| M1024 | Restrict Registry Permissions |
Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may delete or alter malicious network configuration settings as well as generated artifacts on a host system, including logs and files such as |
| DS0022 | File | File Modification |
Monitor changes to files that may be indicators of deleting or altering malicious network configuration settings as well as generated artifacts on a host system that highlight network connection history, such as |
| DS0018 | Firewall | Firewall Rule Modification |
Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic. |
| DS0009 | Process | Process Creation |
Monitor created processes with arguments that may delete or alter malicious network configuration settings as well as generated artifacts that highlight network connection history on a host system -- which may include logs, files, or Registry values. |
| DS0024 | Windows Registry | Windows Registry Key Modification |
Monitor for changes to Registry keys (ex: |