Indicator Removal: Clear Network Connection History and Configurations
Created the Tuesday 07 February 2023. Updated 1 year, 2 months ago.
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under:
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers Windows may also store information about recent RDP connections in files such as C:\Users\%username%\Documents\Default.rdp and C:\Users\%username%\AppData\Local\Microsoft\TerminalServer Client\Cache.
Malicious network connections may also require changes to network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.
Technique Identifier
Technique Tags
Defense Evasion Network history deletion HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers C:\Users\%username%\Documents\Default.rdp C:\Users\%username%\AppData\Local\Microsoft\TerminalServer Client\Cache disable firewall rule modify firewall add firewall rule modify network configuration bypass firewall rule enable Proxy
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.