Anomalous Audit Trail Activity Detected

Description

Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring, Insider Threat

Category

Endpoint Compromise, Insider Threat

Alert Volume

Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised.

SPL Difficulty

Medium

Journey

Stage 2

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Indicator Removal on Host
Clear Command History
File Deletion

File Deletion
Clear Command History

MITRE Threat Groups

APT18
APT28
APT29
APT3
APT32
APT38
APT41
BRONZE BUTLER
Cobalt Group
Dragonfly 2.0
FIN10
FIN5
FIN6
FIN8
Gamaredon Group
Group5
Honeybee
Kimsuky
Lazarus Group
Magic Hound
OilRig
Patchwork
Rocke
Sandworm Team
Silence
TEMP.Veles
The White Company
Threat Group-3390
Tropic Trooper
Wizard Spider
menuPass

Data Sources

Windows Security