Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0049: Behavioral Detection of Network History and Configuration Tampering

This detection strategy is relevant because it points defenders at attempts to erase network connection history or configuration evidence after activity su...

EnterpriseDET0049Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is relevant because it points defenders at attempts to erase network connection history or configuration evidence after activity such as remote access. Even though the ATT&CK detection strategy entry does not provide detailed detection logic, its relationship to Clear Network Connection History and Configurations (T1070.007) makes the business issue clear: if this evidence is removed or altered, incident responders may lose the timeline needed to determine scope, contain access, and support audit or legal reporting decisions.

Executive priority

Treat this as an evidence-preservation and incident-readiness priority. Leaders should ask whether SOC and IR teams can still reconstruct network access when local connection artifacts, device configuration history, or application logs are cleared. The control decision is less about one alert and more about resilience: centralized logging, tamper-resistant retention, and validated response procedures reduce the risk that an intruder can erase the facts needed for containment, recovery, and compliance evidence.

Technical view

Validate detection around the related ATT&CK technique T1070.007, which covers clearing or removing evidence of malicious network connections and configurations. Because this detection strategy has no official detection text or platform list, teams should scope engineering work from the related technique context: Linux, macOS, Windows, and network devices may create connection history, configuration artifacts, or application logs associated with remote services and external remote services. SOC teams should test whether deletion, clearing, or unexpected modification of these artifacts is visible in centralized telemetry and whether responders can compare endpoint or device state against retained logs.

Likely telemetry

  • Centralized system and application logs that record network connection history
  • Network device configuration and change logs
  • Endpoint file, process, and audit events related to removal or modification of connection-history artifacts
  • Remote access, remote services, and external remote services logs
  • Log forwarding, retention, and integrity signals showing gaps, clearing, or tampering

Detection direction

  • Inventory where network connection history and configuration evidence is generated across the environments implied by the related technique: Linux, macOS, Windows, and network devices.
  • Validate alerts for clearing, deletion, truncation, or suspicious modification of logs and configuration artifacts rather than relying only on the presence of connection records.
  • Correlate artifact tampering with remote services or external remote services activity, since the related technique notes those behaviors can create the evidence adversaries may try to remove.
  • Tune for legitimate administrative maintenance, log rotation, and approved configuration changes to reduce false positives while still escalating unexpected or poorly documented clearing activity.
  • Check for blind spots where logs remain only on the local system or device; local-only evidence is more vulnerable to removal before responders can review it.

Mitigation priorities

  • Prioritize centralized, timely collection of connection history, application logs, and network device configuration changes.
  • Use retention and integrity controls so cleared local artifacts can be compared against independent records.
  • Establish approved change-management expectations for configuration clearing, log rotation, and administrative cleanup activity.
  • Exercise incident response procedures to confirm teams can reconstruct network access even when local artifacts are missing or altered.
  • Review coverage for systems and network devices that support remote access paths, since those are explicitly relevant in the related technique context.
Analyst notes and limits

The source object is a detection strategy, DET0049, but the supplied ATT&CK fields include no official description, no official detection logic, no tactics, and no direct platform list. The strongest supported context comes from its relationship to T1070.007, Clear Network Connection History and Configurations, including the related platforms and description. Local validation is required to determine which artifacts exist, which logs are collected, and what clearing activity is legitimate in a given environment.

This take does not assert active exploitation, attribution, or existing detection coverage. It also does not provide vendor-specific analytics because the ATT&CK detection strategy entry supplied here contains no official detection implementation details. Platform references are derived from the related technique, not from the detection strategy object itself.

Official MITRE ATT&CK definition

Behavioral Detection of Network History and Configuration Tampering

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1070.007 Clear Network Connection History and Configurations Sub-technique This object detects Clear Network Connection History and Configurations.
Relationship explorer

All related ATT&CK context

detects · Technique T1070.007: Clear Network Connection History and Configurations Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0d49adbbc7c926bf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0d49adbbc7c9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0049
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use