Description
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and C:\Users\%username%\AppData\Local\Microsoft\Terminal
Server Client\Cache\.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
Malicious network connections may also require changes to third-party applications or network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
Platforms
Mitigations (2)
Remote Data StorageM1029
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
Restrict Registry PermissionsM1024
Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has cleared specific events that contained the threat actor’s IP address from multiple log sources.(C... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has inspected server logs to remove their IPs.(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) also removed the firewall rules it created during execution.(Citation: Microsoft Deep Dive Solorig... |
References
- freedesktop.org. (n.d.). systemd-journald.service. Retrieved June 15, 2022.
- Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022.
- Moran, B. (2020, November 18). Putting Together the RDPieces. Retrieved October 17, 2022.
- rjben. (2012, May 30). How do you find the culprit when unauthorized access to a computer is a problem?. Retrieved August 3, 2022.
- Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
Frequently Asked Questions
What is T1070.007 (Clear Network Connection History and Configurations)?
T1070.007 is a MITRE ATT&CK technique named 'Clear Network Connection History and Configurations'. It belongs to the Stealth tactic(s). Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection...
How can T1070.007 be detected?
Detection of T1070.007 (Clear Network Connection History and Configurations) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1070.007?
There are 2 documented mitigations for T1070.007. Key mitigations include: Remote Data Storage, Restrict Registry Permissions.
Which threat groups use T1070.007?
Known threat groups using T1070.007 include: UNC3886, Volt Typhoon.