This use case looks for Windows event codes that indicate the Windows Audit Logs were tampered with.
Use Case
Advanced Threat Detection
Category
Endpoint Compromise
Alert Volume
Low (?)
SPL Difficulty
Basic
Journey
Stage 1
MITRE ATT&CK Tactics
Defense Evasion
MITRE ATT&CK Techniques
Indicator Removal on Host
MITRE Threat Groups
APT28
APT29
APT32
APT38
APT41
Dragonfly 2.0
FIN5
FIN8
Kill Chain Phases
Actions on Objectives
Data Sources
Windows Security
How to Implement
To run this search, you need to be logging Windows event logs from your Windows Systems.
Known False Positives
None at the moment
How To Respond
When this search fires, you will want to verify with the owner of the account responsible for clearing the Windows Logs that it was a legitimate action taken on their part. You will want to analyze the parent process to wevtutil and verify its activities.
Help
Windows Event Log Clearing Events Help
This use case looks for Windows event codes that indicate the Windows Audit Logs were tampered with.
SPL for Windows Event Log Clearing Events
Demo Data
| inputlookup UC_windows_event_log
First we load our basic demo data
| search (source="*WinEventLog:Security"AND (EventCode=1102OR EventCode=1100)) OR (source="*WinEventLog:System"AND EventCode=104)
Next we filter for the Event Codes that indicate the Windows event log is being cleared. You can see there are a few possibilities.
| table _time EventCode Message sourcetype host
Finally, because we respect analysts, we put it in a nice easy-to-consume table.
Live Data
index=* (source="*WinEventLog:Security"AND (EventCode=1102OR EventCode=1100)) OR ((source="*WinEventLog:System"OR XmlWinEventlog:System) AND EventCode=104)
First we load our Windows Event Log data and filter for the Event Codes that indicate the Windows event log is being cleared. You can see there are a few possibilities.
| statscountby _time EventCode sourcetype host
Then, because we respect analysts, we put it in a nice easy-to-consume table.