| ID | Name |
|---|---|
| T1070.001 | Clear Windows Event Logs |
| T1070.002 | Clear Linux or Mac System Logs |
| T1070.003 | Clear Command History |
| T1070.004 | File Deletion |
| T1070.005 | Network Share Connection Removal |
| T1070.006 | Timestomp |
| T1070.007 | Clear Network Connection History and Configurations |
| T1070.008 | Clear Mailbox Data |
| T1070.009 | Clear Persistence |
| T1070.010 | Relocate Malware |
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under [1]:
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\DefaultHKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\ServersWindows may also store information about recent RDP connections in files such as C:\Users\%username%\Documents\Default.rdp and C:\Users\%username%\AppData\Local\Microsoft\TerminalServer Client\Cache\.[2] Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).[3][4][5]
Malicious network connections may also require changes to third-party applications or network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
| ID | Name | Description |
|---|---|---|
| C0056 | RedPenguin |
During RedPenguin, UNC3886 used an implant to delete logs associated with unauthorized access to targeted Junos OS devices.[6] |
| S0559 | SUNBURST |
SUNBURST also removed the firewall rules it created during execution.[7] |
| G1048 | UNC3886 |
UNC3886 has cleared specific events that contained the threat actor’s IP address from multiple log sources.[8] |
| G1017 | Volt Typhoon |
Volt Typhoon has inspected server logs to remove their IPs.[9] |
| ID | Mitigation | Description |
|---|---|---|
| M1029 | Remote Data Storage |
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| M1024 | Restrict Registry Permissions |
Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0049 | Behavioral Detection of Network History and Configuration Tampering | AN0133 |
Detects attempts to clear RDP/network history and modify network configuration artifacts through command execution, registry key deletion, firewall rule changes, and suspicious file deletions (e.g., Default.rdp, registry edits to Terminal Server Client keys). |
| AN0134 |
Detects deletion or overwriting of logs/configs that store SSH or proxy activity, such as /var/log/auth.log or custom .bash_history clearing tied to SSH sessions or firewall rule changes. |
||
| AN0135 |
Detects removal of Remote Login or Screen Sharing logs in Unified Logging, deletion of |
||
| AN0136 |
Detects firewall rule modifications or reset of logs/connection tables (e.g., |