Indicator Removal: Clear Network Connection History and Configurations

Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.

Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under [1]:

  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers

Windows may also store information about recent RDP connections in files such as C:\Users\%username%\Documents\Default.rdp and C:\Users\%username%\AppData\Local\Microsoft\TerminalServer Client\Cache\.[2] Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).[3][4][5]

Malicious network connections may also require changes to third-party applications or network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.

ID: T1070.007
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: Linux, Network, Windows, macOS
Contributors: CrowdStrike Falcon OverWatch
Version: 1.1
Created: 15 June 2022
Last Modified: 08 September 2023

Procedure Examples

ID Name Description
S0559 SUNBURST

SUNBURST also removed the firewall rules it created during execution.[6]

G1017 Volt Typhoon

Volt Typhoon have inspected server logs to remove their IPs.[7]

Mitigations

ID Mitigation Description
M1029 Remote Data Storage

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

M1024 Restrict Registry Permissions

Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may delete or alter malicious network configuration settings as well as generated artifacts on a host system, including logs and files such as Default.rdp or /var/log/.

DS0022 File File Modification

Monitor changes to files that may be indicators of deleting or altering malicious network configuration settings as well as generated artifacts on a host system that highlight network connection history, such as Default.rdp or /var/log/.

DS0018 Firewall Firewall Rule Modification

Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.

DS0009 Process Process Creation

Monitor created processes with arguments that may delete or alter malicious network configuration settings as well as generated artifacts that highlight network connection history on a host system -- which may include logs, files, or Registry values.

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes to Registry keys (ex: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default) and associated values that may be malicious attempts to conceal adversary network connection history.

References