Analytics Story: Windows Log Manipulation
Description
Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.
Why it matters
Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated. The Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Sysmon EventID 1 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Windows Event Log Security 1100 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 1102 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4688 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
- https://zeltser.com/security-incident-log-review-checklist/
- http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html
Source: GitHub | Version: 2