Skip to content

T1070.007 Clear Network Connection History and Configurations

Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.

Network connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under 2:

  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers

Windows may also store information about recent RDP connections in files such as C:\Users\%username%\Documents\Default.rdp and C:\Users\%username%\AppData\Local\Microsoft\Terminal Server Client\Cache\.3 Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).415

Malicious network connections may also require changes to network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.

Item Value
ID T1070.007
Sub-techniques T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009
Tactics TA0005
Platforms Linux, Network, Windows, macOS
Version 1.0
Created 15 June 2022
Last Modified 21 October 2022

Procedure Examples

ID Name Description
S0559 SUNBURST SUNBURST also removed the firewall rules it created during execution.6


ID Mitigation Description
M1029 Remote Data Storage Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
M1024 Restrict Registry Permissions Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0018 Firewall Firewall Rule Modification
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Modification