MITRE ATT&CK  /  T1070.007

T1070.007

Clear Network Connection History and Configurations

Description

Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):* <code>HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers</code>Windows may also store information about recent RDP connections in files such as <code>C:\Users\\%username%\Documents\Default.rdp</code> and `C:\Users\%username%\AppData\Local\Microsoft\Terminal Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)Malicious network connections may also requ…

Platforms

Mitigations

• M1029 — Remote Data Storage
• M1024 — Restrict Registry Permissions

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →