Windows Event Log Clearing Events

Description

This use case looks for Windows event codes that indicate the Windows Audit Logs were tampered with.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Indicator Removal on Host

MITRE Threat Groups

APT28
APT29
APT32
APT38
APT41
Dragonfly 2.0
FIN5
FIN8

Kill Chain Phases

Actions on Objectives

Data Sources

Windows Security

   How to Implement

To run this search, you need to be logging Windows event logs from your Windows Systems.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to verify with the owner of the account responsible for clearing the Windows Logs that it was a legitimate action taken on their part. You will want to analyze the parent process to wevtutil and verify its activities.

   Help

Windows Event Log Clearing Events Help

This use case looks for Windows event codes that indicate the Windows Audit Logs were tampered with.

SPL for Windows Event Log Clearing Events

Demo Data

First we load our basic demo data
Next we filter for the Event Codes that indicate the Windows event log is being cleared. You can see there are a few possibilities.
Finally, because we respect analysts, we put it in a nice easy-to-consume table.

Live Data

First we load our Windows Event Log data and filter for the Event Codes that indicate the Windows event log is being cleared. You can see there are a few possibilities.
Then, because we respect analysts, we put it in a nice easy-to-consume table.