Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
With administrator privileges, the event logs can be cleared with the following utility commands:
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement protects against Clear Windows Event Logs through the use of key management. Employing key protection strategies for key material used in protection of event logs, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to clear system logs.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2023-36884 | Microsoft Windows Search Remote Code Execution Vulnerability | secondary_impact | T1070.001 | Clear Windows Event Logs |
Comments
This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key.
The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts.
This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft's Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption.
The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Log tampering | Log tampering or modification | related-to | T1070.001 | Clear Windows Event Logs |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1070.001 | Clear Windows Event Logs |
Comments
The Microsoft Sentinel Hunting "Security Event Log Cleared" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1070.001 | Clear Windows Event Logs |
Comments
This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1070.001 | Clear Windows Event Logs |
Comments
Google Security Ops is able to trigger an alert based on suspicious system events used to evade defenses, such as deletion of Windows security event logs.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PUR-AUS-E5 | Audit Solutions | Technique Scores | T1070.001 | Clear Windows Event Logs |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-INPR-E5 | Information Protection | Technique Scores | T1070.001 | Clear Windows Event Logs |
Comments
Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly.
Information Protection Protects from Indicator Removal attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2
References
|