Detect Clear Network Connection History and Configurations in Microsoft Sentinel
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Network connection history may be stored in Windows Registry values under HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default and Servers, in files such as Default.rdp and RDP cache files, or in system logs on macOS and Linux. Adversaries may delete or modify this data to conceal indicators and impede defensive analysis.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.007 Clear Network Connection History and Configurations
- Canonical reference
- https://attack.mitre.org/techniques/T1070/007/
KQL Detection Query
let RDPRegistryPaths = dynamic([
"Software\\Microsoft\\Terminal Server Client\\Default",
"Software\\Microsoft\\Terminal Server Client\\Servers"
]);
let SuspiciousRegDeletionPatterns = dynamic([
"Terminal Server Client",
"Terminal Server Client\\Default",
"Terminal Server Client\\Servers"
]);
let RDPFilePaths = dynamic([
"Default.rdp",
"\\Terminal Server Client\\Cache\\"
]);
// Detection 1: Registry deletions targeting RDP connection history
let RegDeletions = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyDeleted", "RegistryValueDeleted")
| where RegistryKey has_any (SuspiciousRegDeletionPatterns)
| extend DetectionType = "RDP Registry History Deletion"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: Deletion of RDP connection files
let RDPFileDeletions = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileDeleted"
| where FileName has_any (RDPFilePaths) or FolderPath has "Terminal Server Client\\Cache"
| extend DetectionType = "RDP File History Deletion"
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 3: Command-line deletion of network history artifacts
let CmdNetHistoryClean = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"Terminal Server Client",
"Default.rdp",
"netsh wlan delete",
"netsh advfirewall reset",
"netsh int ip reset",
"arp -d",
"route delete",
"Clear-DnsClientCache",
"ipconfig /flushdns",
"dnscmd /clearcache"
)
and ProcessCommandLine has_any ("del ", "Remove-Item", "rm ", "erase ", "reg delete", "delete", "clear", "flush", "reset")
| extend DetectionType = "CLI Network History Cleanup"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Union all detections
RegDeletions
| union RDPFileDeletions
| union CmdNetHistoryClean
| sort by Timestamp descDetects attempts to clear network connection history and configurations on Windows endpoints using Microsoft Defender for Endpoint tables. Covers three key areas: (1) deletion of RDP connection history from the Windows Registry under HKCU\Software\Microsoft\Terminal Server Client, (2) deletion of RDP connection files such as Default.rdp and RDP cache files, and (3) command-line execution of tools that clear DNS cache, ARP tables, routing tables, firewall configurations, or wireless network profiles. Unions results across all three detection patterns for a comprehensive view.
Data Sources
Required Tables
False Positives & Tuning
- System administrators clearing RDP connection lists as part of routine IT maintenance or user profile cleanup
- Enterprise IT tools (SCCM, Group Policy scripts) that reset network configurations during device re-imaging or re-provisioning
- Security hardening scripts that flush DNS cache and reset network settings as part of scheduled maintenance windows
- Users manually clearing their own RDP history for privacy or organizational hygiene purposes
- Antivirus or endpoint management software that clears cached network state during remediation workflows
Other platforms for T1070.007
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Delete RDP Connection History from Registry
Expected signal: Sysmon Event ID 12 (RegistryEvent - Object Delete): TargetObject will contain 'Software\Microsoft\Terminal Server Client\Default' and 'Software\Microsoft\Terminal Server Client\Servers'. Sysmon Event ID 1 (Process Create): reg.exe with CommandLine containing 'reg delete' and 'Terminal Server Client'. Security Event ID 4688 (if command line auditing enabled) showing the reg.exe execution.
- Test 2Delete Default RDP Connection File
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename will show the creation of Default.rdp. Sysmon Event ID 23 (File Delete, if enabled): TargetFilename will show the deletion of Default.rdp. Sysmon Event ID 1 (Process Create): cmd.exe with CommandLine containing 'del' and 'Default.rdp'.
- Test 3Clear DNS Client Cache to Remove Connection Evidence
Expected signal: Sysmon Event ID 1 (Process Create): ipconfig.exe with CommandLine 'ipconfig /flushdns'. Security Event ID 4688 (if command line auditing enabled) with same data. Note: this is a common operation so additional context (time of day, parent process, user account) is needed to distinguish malicious use.
- Test 4Reset Windows Firewall Configuration via Netsh
Expected signal: Sysmon Event ID 1 (Process Create): netsh.exe with CommandLine 'netsh advfirewall reset'. Security Event ID 4688 (if command line auditing enabled). Additionally, Security Event ID 4950 (Windows Firewall setting has changed) may be generated in the Windows Firewall with Advanced Security operational log.
- Test 5PowerShell Removal of RDP Cache Directory Contents
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine containing 'Remove-Item' and 'Terminal Server Client'. Sysmon Event ID 23 (File Delete): TargetFilename showing deletion within the Terminal Server Client\Cache path. PowerShell ScriptBlock Log Event ID 4104 with the full script content.
References (10)
- https://attack.mitre.org/techniques/T1070/007/
- https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://www.secureworks.com/blog/bronze-silhouette-targets-us-government-and-defense-organizations
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://github.com/ANSSI-FR/bmc-tools
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netsh
- https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.007/T1070.007.md
Unlock Pro Content
Get the full detection package for T1070.007 including response playbook, investigation guide, and atomic red team tests.