T1070.007 Clear Network Connection History and Configurations
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under 2:
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\DefaultHKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
Windows may also store information about recent RDP connections in files such as C:\Users\%username%\Documents\Default.rdp and C:\Users\%username%\AppData\Local\Microsoft\Terminal
Server Client\Cache\.3 Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in /Library/Logs and/or /var/log/).415
Malicious network connections may also require changes to network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
| Item | Value |
|---|---|
| ID | T1070.007 |
| Sub-techniques | T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009 |
| Tactics | TA0005 |
| Platforms | Linux, Network, Windows, macOS |
| Version | 1.0 |
| Created | 15 June 2022 |
| Last Modified | 21 October 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0559 | SUNBURST | SUNBURST also removed the firewall rules it created during execution.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1029 | Remote Data Storage | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| M1024 | Restrict Registry Permissions | Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Modification |
| DS0018 | Firewall | Firewall Rule Modification |
| DS0009 | Process | Process Creation |
| DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
freedesktop.org. (n.d.). systemd-journald.service. Retrieved June 15, 2022. ↩
-
Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022. ↩
-
Moran, B. (2020, November 18). Putting Together the RDPieces. Retrieved October 17, 2022. ↩
-
rjben. (2012, May 30). How do you find the culprit when unauthorized access to a computer is a problem?. Retrieved August 3, 2022. ↩
-
Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. ↩
-
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. ↩