DET0049 Behavioral Detection of Network History and Configuration Tampering

Item	Value
ID	DET0049
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1070.007 (Clear Network Connection History and Configurations)

Analytics

Windows

AN0133

Detects attempts to clear RDP/network history and modify network configuration artifacts through command execution, registry key deletion, firewall rule changes, and suspicious file deletions (e.g., Default.rdp, registry edits to Terminal Server Client keys).

Log Sources

Data Component	Name	Channel
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4663, 4670, 4656
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Command Execution (DC0064)	EDR:cli	Command Line Telemetry
Firewall Rule Modification (DC0051)	WinEventLog:Security	Firewall Rule Modification

Mutable Elements

Field	Description
TargetPathRegex	Filter file/registry paths like \Terminal Server Client or* Default.rdp*
TimeWindow	Correlate command/registry edits within close proximity to suspicious connection activity
UserContext	Detect cleanup behavior from non-interactive or SYSTEM accounts

Linux

AN0134

Detects deletion or overwriting of logs/configs that store SSH or proxy activity, such as /var/log/auth.log or custom .bash_history clearing tied to SSH sessions or firewall rule changes.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	auditd:SYSCALL	execve
File Modification (DC0061)	auditd:SYSCALL	PATH

Mutable Elements

Field	Description
CommandMatchPattern	Commands like `> /var/log/auth.log`, `rm ~/.bash_history`, `iptables -F`
LogPathFilter	Focus on /var/log/auth.log, /etc/ssh/, ~/.bash_history

macOS

AN0135

Detects removal of Remote Login or Screen Sharing logs in Unified Logging, deletion of com.apple.UTun, or suspicious Terminal use of rm, sudo pfctl -F all to clear network state/config history.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	macos:unifiedlog	log stream –predicate ‘eventMessage contains “loginwindow” or “pfctl”’
File Modification (DC0061)	macos:osquery	file_events

Mutable Elements

Field	Description
FilenameMatch	e.g., com.apple.UTun, RemoteManagement log files
TimeDeltaFromLogin	Correlate deletion with recent SSH or GUI remote login session

Network Devices

AN0136

Detects firewall rule modifications or reset of logs/connection tables (e.g., clear logging, erase startup-config, write erase) following remote access activity on routers, switches, or VPN appliances.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	networkdevice:syslog	Command Audit / Configuration Change
Network Traffic Content (DC0085)	NSM:Flow	Session History Reset

Mutable Elements

Field	Description
CommandPattern	e.g., `clear logging`, `no logging buffered`, `no ip domain-lookup`
DeviceTypeFilter	Switches vs VPN vs routers