Try in Splunk Security Cloud


Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files–an essential component of an effective defense.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2017-09-12
  • Author: Rico Valdez, Splunk
  • ID: b6db2c60-a281-48b4-95f1-2cd99ed56835


Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated. The Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).


Name Technique Type
Deleting Shadow Copies Inhibit System Recovery TTP
Suspicious Event Log Service Behavior Indicator Removal, Clear Windows Event Logs Hunting
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal TTP
USN Journal Deletion Indicator Removal TTP
WevtUtil Usage To Clear Logs Indicator Removal, Clear Windows Event Logs TTP
Wevtutil Usage To Disable Logs Indicator Removal, Clear Windows Event Logs TTP
Windows Event Log Cleared Indicator Removal, Clear Windows Event Logs TTP


source | version: 2