Indicator Removal: Clear Windows Event Logs

Created the Saturday 23 March 2019. Updated 2 months, 2 weeks ago.

Event logging is a process that records important software and hardware events from various sources and stores them in a centralized location called an event log. This service is commonly used by applications and operating systems to track and troubleshoot issues, and can be a valuable tool for forensic investigations.

Event logs can provide valuable information about the actions taken by an attacker during a security breach, including the time and date of the attack, the source of the attack, and any changes made to the system. However, attackers may attempt to delete or clear event logs to conceal their actions and evade detection.

Forensic investigators can look for signs of event log tampering by checking for the presence of event clear ID 1102, which indicates that the audit log has been cleared. This can be an indication that an attacker has attempted to cover their tracks.

Technique Identifiers

T1070.001 U0302

Technique Tags

Defense Evasion event log wevtutil cl system wevtutil cl application wevtutil cl security wipe logs APT28 APT32 APT38 APT41

Code Snippets

Description

Common commands found in malware.

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

Detection Rules

                                    rule:
  meta:
    name: clear the Windows event log
    namespace: anti-analysis/anti-forensic/clear-logs
    author: michael.hunhoff@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001]
    examples:
      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0
  features:
    - and:
      - api: advapi32.ElfClearEventLogFile
      - optional:
        - api: advapi32.OpenEventLog

rule:
  meta:
    name: crash the Windows event logging service
    namespace: anti-analysis/anti-forensic
    author: michael.hunhoff@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]
    references:
      - https://github.com/limbenjamin/LogServiceCrash
    examples:
      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0
  features:
    - and:
      - count(api(advapi32.ElfClearEventLogFileW)): 3 or more
      - count(api(advapi32.OpenEventLogA)): 1 or more

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.