title: Clear Network Connection History and Configurations (T1070.007)
id: df00tech-t1070-007
status: experimental
description: "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Network connection history may be stored in Windows Registry values under HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default and Servers, in files such as Default.rdp and RDP cache files, or in system logs on macOS and Linux. Adversaries may delete or modify this data to conceal indicators and impede defensive analysis."
references:
  - https://attack.mitre.org/techniques/T1070/007/
  - https://df00tech.com/detections/T1070.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1070.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators clearing RDP connection lists as part of routine IT maintenance or user profile cleanup
  - "Enterprise IT tools (SCCM, Group Policy scripts) that reset network configurations during device re-imaging or re-provisioning"
  - Security hardening scripts that flush DNS cache and reset network settings as part of scheduled maintenance windows
  - Users manually clearing their own RDP history for privacy or organizational hygiene purposes
  - Antivirus or endpoint management software that clears cached network state during remediation workflows
level: medium