All pages
Powered by GitBook
1 of 1

Clear Network Connection History and Logs

Clear Network Connection History and Logs [T1070.007]

Information

  • Name: Clear Network Connection History and Configurations

  • ID: T1070.007

Introduction

The MITRE ATT&CK sub-technique T1070.007, "Clear Network Connection History and Logs," falls under the broader technique of Indicator Removal on Host (T1070). Adversaries utilize this sub-technique to erase or manipulate logs and records related to network connections, thereby obscuring their activities and hindering forensic investigations and incident response efforts. By clearing or modifying network logs, attackers aim to remove evidence of their presence, impede detection, and avoid attribution.

Deep Dive Into Technique

Adversaries typically execute this sub-technique by directly accessing and modifying log files or leveraging built-in system utilities and commands to delete or overwrite network connection history. The primary goal is to remove traces of unauthorized access, lateral movement, or data exfiltration activities.

Technical execution methods include:

  • Manual Log Deletion or Modification:

    • Attackers manually delete or modify log files stored on compromised hosts, network devices, or centralized logging servers.

    • Commonly targeted logs include firewall logs, VPN connection logs, network device access logs, and operating system event logs.

  • Using System Commands and Utilities:

    • Windows:

      • wevtutil: Used to clear Windows Event Logs, including network-related events.

      • Deletion of logs in %SystemRoot%\System32\winevt\Logs.

    • Linux/Unix:

      • Directly editing or removing log files located in /var/log/ (e.g., /var/log/auth.log, /var/log/syslog, /var/log/messages).

      • Commands such as:

      • Overwriting logs with empty content:

  • Automated Scripts and Malware:

    • Adversaries may deploy automated scripts or custom malware to systematically clear logs after specific actions or at regular intervals.

    • Such tools may be embedded within persistent malware implants or remote access trojans (RATs).

  • Tampering Network Devices and Appliances:

    • Attackers may access network devices (routers, firewalls, VPN gateways) to erase or alter logging configurations and historical connection logs.

    • This includes direct manipulation of device configuration or log storage systems through administrative interfaces or command-line interfaces.

When this Technique is Usually Used

This sub-technique is commonly employed in multiple stages of an attack lifecycle, particularly during and after intrusion activities to evade detection and forensic analysis:

  • Initial Access and Establishment:

    • Immediately after gaining unauthorized access, attackers may clear initial connection logs to conceal their entry point.

  • Lateral Movement:

    • After moving laterally between internal hosts or network segments, adversaries remove logs to erase evidence of compromised accounts, IP addresses, or exploited vulnerabilities.

  • Data Exfiltration:

    • Following data theft, attackers clear logs to hide network connections to external command-and-control (C2) servers or data exfiltration endpoints.

  • Persistence and Long-term Access:

    • Attackers periodically remove logs to maintain stealthy persistence within the compromised environment, making detection challenging over extended periods.

  • Incident Response Avoidance:

    • If adversaries suspect detection or active incident response activities, they may proactively clear logs to disrupt forensic investigations and obscure their activities.

How this Technique is Usually Detected

Detection of log clearing or modification activities involves monitoring, analyzing, and alerting on unusual behaviors or anomalies related to log files and logging services. Effective detection methods include:

  • File Integrity Monitoring (FIM):

    • Implementing FIM solutions to detect unauthorized changes or deletions within critical log files or directories (/var/log/, Windows Event Logs directories).

  • Centralized Log Management and SIEM:

    • Aggregating logs into centralized Security Information and Event Management (SIEM) systems for real-time monitoring and alerting on anomalies such as sudden log file size reduction or log deletion events.

  • Audit Logging and Event Monitoring:

    • Enabling audit logging of administrative commands (e.g., rm, wevtutil, history -c) and monitoring event IDs related to log clearing actions:

      • Windows Event ID 1102 ("Audit Log Cleared").

      • Linux auditd rules to track deletion or modification of log files (/var/log/*).

  • Behavioral Analytics and Anomaly Detection:

    • Leveraging behavioral analytics to detect abnormal user or service account activities, such as executing log deletion commands, accessing log files, or disabling logging mechanisms.

  • Endpoint Detection and Response (EDR) Tools:

    • Using EDR solutions to detect suspicious processes or scripts interacting with log files or executing commands typically associated with log clearing.

Indicators of Compromise (IoCs) include:

  • Sudden disappearance or truncation of log files.

  • Gaps or missing timeframes within logs.

  • Unexpected administrative commands executed (e.g., log deletion commands).

  • Alerts generated by FIM or SIEM systems indicating unauthorized log file modifications.

  • Disabled or altered logging configurations on network devices or hosts.

Why it is Important to Detect This Technique

Early detection of this sub-technique is critical due to its direct impact on incident response, forensic analysis, and organizational security posture. Specifically, the importance arises from:

  • Loss of Critical Forensic Evidence:

    • Clearing logs eliminates crucial evidence required for incident investigation, attribution, and determining the scope of compromise.

  • Delayed Detection and Response:

    • Successful log clearing extends dwell time, allowing attackers to persist within the environment unnoticed, increasing potential damage.

  • Reduced Visibility into Network Activities:

    • Without accurate logs, organizations lose visibility into network connections, lateral movements, and data exfiltration attempts, severely hindering security monitoring and threat hunting efforts.

  • Increased Risk of Future Attacks:

    • Attackers who successfully clear logs and remain undetected can exploit the compromised environment repeatedly, escalating privileges, stealing sensitive data, or deploying ransomware.

  • Compliance and Regulatory Issues:

    • Loss of logs and records may lead to non-compliance with regulatory requirements, resulting in legal and financial repercussions.

Examples

Real-world examples of adversaries employing this sub-technique include:

  • APT28 (Fancy Bear):

    • Known to delete logs and event records after intrusion activities to obscure their presence and complicate forensic analysis.

    • Utilized commands such as wevtutil cl on compromised Windows systems to clear event logs.

  • APT29 (Cozy Bear):

    • Observed clearing Bash history files (~/.bash_history) and selectively deleting system logs (/var/log/messages, /var/log/auth.log) on compromised Linux hosts.

  • FIN7 Cybercrime Group:

    • Utilized scripts and malware payloads designed to clear event logs and erase evidence of lateral movement and data exfiltration activities from compromised point-of-sale (POS) systems.

  • DarkSide Ransomware Operators:

    • After exfiltrating sensitive data and deploying ransomware payloads, attackers cleared Windows event logs and other network connection history to complicate incident response and forensic investigations.

  • Operation Cleaver (Iranian Threat Actor):

    • Attackers removed logs and disabled logging mechanisms on compromised network devices and servers to conceal their presence and evade detection.

These examples illustrate the significant role that log clearing plays in sophisticated cyber-attacks, highlighting the necessity of robust detection and prevention mechanisms.