T1070.007

Clear Network Connection History and Configurations

Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Network connection history may be stored in Windows Registry values under HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default and Servers, in files such as Default.rdp and RDP cache files, or in system logs on macOS and Linux. Adversaries may delete or modify this data to conceal indicators and impede defensive analysis.

Microsoft Sentinel / Defender

kusto

let RDPRegistryPaths = dynamic([
  "Software\\Microsoft\\Terminal Server Client\\Default",
  "Software\\Microsoft\\Terminal Server Client\\Servers"
]);
let SuspiciousRegDeletionPatterns = dynamic([
  "Terminal Server Client",
  "Terminal Server Client\\Default",
  "Terminal Server Client\\Servers"
]);
let RDPFilePaths = dynamic([
  "Default.rdp",
  "\\Terminal Server Client\\Cache\\"
]);
// Detection 1: Registry deletions targeting RDP connection history
let RegDeletions = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyDeleted", "RegistryValueDeleted")
| where RegistryKey has_any (SuspiciousRegDeletionPatterns)
| extend DetectionType = "RDP Registry History Deletion"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: Deletion of RDP connection files
let RDPFileDeletions = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileDeleted"
| where FileName has_any (RDPFilePaths) or FolderPath has "Terminal Server Client\\Cache"
| extend DetectionType = "RDP File History Deletion"
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 3: Command-line deletion of network history artifacts
let CmdNetHistoryClean = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "Terminal Server Client",
    "Default.rdp",
    "netsh wlan delete",
    "netsh advfirewall reset",
    "netsh int ip reset",
    "arp -d",
    "route delete",
    "Clear-DnsClientCache",
    "ipconfig /flushdns",
    "dnscmd /clearcache"
  )
  and ProcessCommandLine has_any ("del ", "Remove-Item", "rm ", "erase ", "reg delete", "delete", "clear", "flush", "reset")
| extend DetectionType = "CLI Network History Cleanup"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Union all detections
RegDeletions
| union RDPFileDeletions
| union CmdNetHistoryClean
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Windows Registry: Registry Key Deletion File: File Deletion Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceFileEvents DeviceProcessEvents

False Positives

System administrators clearing RDP connection lists as part of routine IT maintenance or user profile cleanup
Enterprise IT tools (SCCM, Group Policy scripts) that reset network configurations during device re-imaging or re-provisioning
Security hardening scripts that flush DNS cache and reset network settings as part of scheduled maintenance windows
Users manually clearing their own RDP history for privacy or organizational hygiene purposes
Antivirus or endpoint management software that clears cached network state during remediation workflows

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
// Sysmon EventCode 12 = RegistryEvent (Object create and delete), 13 = RegistryEvent (Value Set), 14 = RegistryEvent (Key and Value Rename)
| eval RegistryAction=case(
    EventCode==12 AND EventType="DeleteKey", "RegistryKeyDeleted",
    EventCode==12 AND EventType="DeleteValue", "RegistryValueDeleted",
    true(), null()
  )
// Sysmon EventCode 11 = FileCreate, EventCode 23 = FileDelete
| eval IsRDPRegistryDeletion=if(
    (EventCode==12) AND (match(TargetObject, "Terminal Server Client\\(Default|Servers)")), 1, 0
  )
| eval IsRDPFileDeletion=if(
    (EventCode==23 OR EventCode==11) AND (match(TargetFilename, "(?i)(Default\.rdp|Terminal Server Client\\\\Cache)")), 1, 0
  )
// Process-based detection for network config clearing commands
| eval IsNetworkHistoryClear=if(
    EventCode==1 AND (
      match(CommandLine, "(?i)(del|Remove-Item|erase|reg\s+delete).*Terminal Server Client") OR
      match(CommandLine, "(?i)(del|Remove-Item|erase).*Default\.rdp") OR
      match(CommandLine, "(?i)netsh\s+(wlan\s+delete|advfirewall\s+reset|int\s+ip\s+reset|interface\s+ip\s+reset)") OR
      match(CommandLine, "(?i)(Clear-DnsClientCache|ipconfig\s+/flushdns|dnscmd\s+/clearcache)") OR
      match(CommandLine, "(?i)arp\s+-d") OR
      match(CommandLine, "(?i)route\s+delete")
    ), 1, 0
  )
| where IsRDPRegistryDeletion=1 OR IsRDPFileDeletion=1 OR IsNetworkHistoryClear=1
| eval DetectionCategory=case(
    IsRDPRegistryDeletion=1, "RDP Registry History Deletion",
    IsRDPFileDeletion=1, "RDP File History Deletion",
    IsNetworkHistoryClear=1, "CLI Network History Cleanup",
    true(), "Unknown"
  )
| eval Actor=coalesce(User, SubjectUserName, "-")
| eval ProcessName=coalesce(Image, process_name, "-")
| eval CmdLine=coalesce(CommandLine, "-")
| eval TargetArtifact=coalesce(TargetObject, TargetFilename, CmdLine)
| table _time, host, Actor, ProcessName, CmdLine, TargetArtifact, DetectionCategory, EventCode
| sort - _time

medium severity medium confidence

Data Sources

Windows Registry: Registry Key Deletion File: File Deletion Process: Process Creation Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 12 Sysmon Event ID 23

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

System administrators clearing RDP connection lists as part of routine IT maintenance or user profile cleanup
Enterprise IT tools (SCCM, Group Policy scripts) that reset network configurations during device re-imaging or re-provisioning
Security hardening scripts that flush DNS cache and reset network settings as part of scheduled maintenance windows
Users manually clearing their own RDP history for privacy or organizational hygiene purposes
Antivirus or endpoint management software that clears cached network state during remediation workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "Actor",
  sourceip AS "Source IP",
  QIDNAME(qid) AS "Event Name",
  "EventID" AS "Event ID",
  "TargetObject" AS "Registry Key",
  "TargetFilename" AS "Target File",
  "CommandLine" AS "Command Line",
  CASE
    WHEN "TargetObject" ILIKE '%Terminal Server Client%Default%'
      OR "TargetObject" ILIKE '%Terminal Server Client%Servers%'
      THEN 'RDP Registry History Deletion'
    WHEN "TargetFilename" ILIKE '%Default.rdp%'
      OR "TargetFilename" ILIKE '%Terminal Server Client%Cache%'
      THEN 'RDP File History Deletion'
    ELSE 'CLI Network History Cleanup'
  END AS "Detection Category"
FROM events
WHERE
  (
    -- Sysmon EventCode 12: Registry key or value deletion targeting RDP connection history
    ("EventID" = '12'
      AND (
        "TargetObject" ILIKE '%Terminal Server Client\\Default%'
        OR "TargetObject" ILIKE '%Terminal Server Client\\Servers%'
      )
    )
    OR
    -- Sysmon EventCode 23: File deletion targeting RDP history artifacts
    ("EventID" = '23'
      AND (
        "TargetFilename" ILIKE '%Default.rdp%'
        OR "TargetFilename" ILIKE '%Terminal Server Client%Cache%'
      )
    )
    OR
    -- Sysmon EventCode 1: Process creation with network history cleanup commands
    ("EventID" = '1'
      AND (
        ("CommandLine" ILIKE '%Terminal Server Client%'
          AND ("CommandLine" ILIKE '%del %' OR "CommandLine" ILIKE '%Remove-Item%'
            OR "CommandLine" ILIKE '%reg delete%' OR "CommandLine" ILIKE '%erase %'))
        OR ("CommandLine" ILIKE '%Default.rdp%'
          AND ("CommandLine" ILIKE '%del %' OR "CommandLine" ILIKE '%Remove-Item%'
            OR "CommandLine" ILIKE '%erase %'))
        OR "CommandLine" ILIKE '%netsh wlan delete%'
        OR "CommandLine" ILIKE '%netsh advfirewall reset%'
        OR "CommandLine" ILIKE '%netsh int ip reset%'
        OR "CommandLine" ILIKE '%netsh interface ip reset%'
        OR "CommandLine" ILIKE '%arp -d%'
        OR "CommandLine" ILIKE '%route delete%'
        OR "CommandLine" ILIKE '%Clear-DnsClientCache%'
        OR "CommandLine" ILIKE '%ipconfig /flushdns%'
        OR "CommandLine" ILIKE '%dnscmd /clearcache%'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Sysmon (QRadar DSM: Microsoft Windows) Windows Security Event Log (QRadar DSM)

Required Tables

events

False Positives

Help desk staff following standard SOPs to clear RDP history from workstations during user offboarding or system reassignment
Network engineers executing netsh commands to reset TCP/IP stacks or firewall policies during planned configuration changes
Endpoint protection tools (e.g., CrowdStrike, SentinelOne) flushing the DNS resolver cache or resetting the network stack as part of automated remediation after malware removal

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| parse "EventCode=*" as EventCode nodrop
| parse "event_id=*" as event_id nodrop
| eval EventCode = if (!isNull(EventCode), EventCode, event_id)
| parse "TargetObject=*" as TargetObject nodrop
| parse "TargetFilename=*" as TargetFilename nodrop
| parse "CommandLine=*" as CommandLine nodrop
| parse "User=*" as Actor nodrop
| parse "Image=*" as ProcessImage nodrop
| parse "ComputerName=*" as ComputerName nodrop
| parse "Computer=*" as Computer nodrop
| eval Host = if (!isNull(ComputerName), ComputerName, Computer)
| where (
    // Sysmon EventCode 12: RDP registry key/value deletion
    (EventCode = "12" and (
      TargetObject matches /(?i)Terminal Server Client\\(Default|Servers)/
    ))
    or
    // Sysmon EventCode 23: RDP file artifact deletion
    (EventCode = "23" and (
      TargetFilename matches /(?i)Default\.rdp/
      or TargetFilename matches /(?i)Terminal Server Client.*Cache/
    ))
    or
    // Sysmon EventCode 1: CLI network history cleanup
    (EventCode = "1" and (
      CommandLine matches /(?i)(del|Remove-Item|erase|reg\s+delete).*Terminal Server Client/
      or CommandLine matches /(?i)(del|Remove-Item|erase).*Default\.rdp/
      or CommandLine matches /(?i)netsh\s+(wlan\s+delete|advfirewall\s+reset|int\s+ip\s+reset|interface\s+ip\s+reset)/
      or CommandLine matches /(?i)(Clear-DnsClientCache|ipconfig\s+\/flushdns|dnscmd\s+\/clearcache)/
      or CommandLine matches /(?i)arp\s+-d(\s|$)/
      or CommandLine matches /(?i)route\s+delete/
    ))
  )
| eval DetectionCategory = if (EventCode = "12", "RDP Registry History Deletion",
    if (EventCode = "23", "RDP File History Deletion", "CLI Network History Cleanup"))
| eval ArtifactAffected = if (!isNull(TargetObject) and TargetObject != "", TargetObject,
    if (!isNull(TargetFilename) and TargetFilename != "", TargetFilename, CommandLine))
| table _messageTime, Host, Actor, ProcessImage, CommandLine, ArtifactAffected, DetectionCategory, EventCode
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Winlogbeat with Sysmon (sourcecategory=*windows* or *sysmon*) Sumo Logic Installed Collector with Windows Event Log source

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*winlogbeat*

False Positives

Automated RDP history cleanup scripts deployed by system administrators as part of workstation security hardening or CIS benchmark compliance enforcement
VDI platforms (Citrix Virtual Apps, VMware Horizon) that execute logoff scripts clearing RDP artifacts and flushing network state between user sessions
Security orchestration tools (Splunk SOAR, Palo Alto XSOAR) issuing netsh or DNS flush commands as part of automated incident response playbook execution

Google Chronicle / SecOps

yaral

rule t1070_007_clear_network_connection_history {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1070.007 - Adversary clearing of RDP connection history via registry deletion, RDP file removal, or CLI-based network config erasure commands"
    mitre_attack_technique = "T1070.007"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_subtechnique = "Clear Network Connection History and Configurations"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2024-01-01"

  events:
    (
      // Detection 1: RDP Registry History Deletion
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION" and
        (
          re.regex($e.target.registry.registry_key,
            `(?i)Software\\Microsoft\\Terminal Server Client\\(Default|Servers)`) or
          re.regex($e.target.registry.registry_key,
            `(?i)Terminal Server Client\\(Default|Servers)`)
        )
      ) or
      // Detection 2: RDP File History Deletion
      (
        $e.metadata.event_type = "FILE_DELETION" and
        (
          re.regex($e.target.file.full_path, `(?i)Default\.rdp`) or
          re.regex($e.target.file.full_path, `(?i)Terminal Server Client.Cache`)
        )
      ) or
      // Detection 3: CLI Network History Cleanup via process execution
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        (
          re.regex($e.target.process.command_line,
            `(?i)netsh\s+(wlan\s+delete|advfirewall\s+reset|int\s+ip\s+reset|interface\s+ip\s+reset)`) or
          re.regex($e.target.process.command_line,
            `(?i)(Clear-DnsClientCache|ipconfig\s+/flushdns|dnscmd\s+/clearcache)`) or
          re.regex($e.target.process.command_line, `(?i)arp\s+-d`) or
          re.regex($e.target.process.command_line, `(?i)route\s+delete`) or
          re.regex($e.target.process.command_line,
            `(?i)(del|Remove-Item|erase|reg\s+delete).*(Terminal Server Client|Default\.rdp)`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM (UDM events) Microsoft Windows Sysmon (via Chronicle Forwarder) Windows Security Events (via Chronicle Forwarder) Elastic Endpoint Security events forwarded to Chronicle

Required Tables

UDM Events (REGISTRY_MODIFICATION) UDM Events (FILE_DELETION) UDM Events (PROCESS_LAUNCH)

False Positives

Group Policy Objects or Intune configuration profiles that enforce removal of RDP connection history across managed devices as part of organizational hardening standards
IT help desk technicians flushing DNS resolver cache and resetting IP configurations on endpoints as part of standard network troubleshooting procedures
Enterprise VPN clients (Cisco AnyConnect, GlobalProtect) programmatically modifying routing tables via route delete commands during connection and disconnection lifecycle events

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("RegValueDelete", "RegKeyDelete", "ProcessRollup2", "SyntheticProcessRollup2")
| case {
    // RDP Registry History Deletion via registry key or value deletion events
    #event_simpleName in ("RegValueDelete", "RegKeyDelete")
      | RegObjectName = /(?i)Terminal Server Client\\(Default|Servers)/
      | DetectionCategory := "RDP Registry History Deletion"
      | ArtifactAffected := RegObjectName;

    // CLI Network History Cleanup via process execution
    #event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
      | CommandLine = /(?i)(netsh\s+(wlan\s+delete|advfirewall\s+reset|int\s+ip\s+reset|interface\s+ip\s+reset)|Clear-DnsClientCache|ipconfig\s+\/flushdns|dnscmd\s+\/clearcache|arp\s+-d|route\s+delete|(del|Remove-Item|erase|reg\s+delete).*(Terminal Server Client|Default\.rdp))/
      | DetectionCategory := "CLI Network History Cleanup"
      | ArtifactAffected := CommandLine;

    *
      | DetectionCategory := "NOMATCH"
  }
| DetectionCategory != "NOMATCH"
| table(
    [_time, ComputerName, UserName, ImageFileName, CommandLine, RegObjectName, ArtifactAffected, DetectionCategory],
    sortby="_time",
    order="desc"
  )

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (base_sensor repo) Falcon Sensor Registry Telemetry (RegValueDelete, RegKeyDelete) Falcon Sensor Process Telemetry (ProcessRollup2, SyntheticProcessRollup2)

Required Tables

base_sensor (RegValueDelete) base_sensor (RegKeyDelete) base_sensor (ProcessRollup2) base_sensor (SyntheticProcessRollup2)

False Positives

CrowdStrike Falcon Real Time Response (RTR) sessions where analysts execute netsh or registry commands to remediate or troubleshoot endpoints — correlate DetectionCategory against RTR session IDs
Legitimate use of PowerShell Clear-DnsClientCache in scheduled task scripts for performance tuning or network testing pipelines on developer or lab machines
Enterprise VPN clients and network management agents (e.g., Cisco AnyConnect, SolarWinds, PRTG agents) issuing route delete and arp -d commands during normal connection lifecycle management

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1070.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Clear Network Connection History and Configurations

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections