|T1070.001||Clear Windows Event Logs|
|T1070.002||Clear Linux or Mac System Logs|
|T1070.003||Clear Command History|
|T1070.005||Network Share Connection Removal|
|T1070.007||Clear Network Connection History and Configurations|
|T1070.008||Clear Mailbox Data|
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under :
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
Windows may also store information about recent RDP connections in files such as
C:\Users\%username%\AppData\Local\Microsoft\TerminalServer Client\Cache\. Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in
Malicious network connections may also require changes to network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
|M1029||Remote Data Storage||
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
|M1024||Restrict Registry Permissions||
Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may delete or alter malicious network configuration settings as well as generated artifacts on a host system, including logs and files such as
Monitor changes to files that may be indicators of deleting or altering malicious network configuration settings as well as generated artifacts on a host system that highlight network connection history, such as
|DS0018||Firewall||Firewall Rule Modification||
Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.
Monitor created processes with arguments that may delete or alter malicious network configuration settings as well as generated artifacts that highlight network connection history on a host system -- which may include logs, files, or Registry values.
|DS0024||Windows Registry||Windows Registry Key Modification||
Monitor for changes to Registry keys (ex: