Try in Splunk Security Cloud

Description

Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files–an essential component of an effective defense.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2017-09-12
  • Author: Rico Valdez, Splunk
  • ID: b6db2c60-a281-48b4-95f1-2cd99ed56835

Narrative

Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.
The Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).

Detections

Name Technique Type
Deleting Shadow Copies Inhibit System Recovery TTP
Illegal Deletion of Logs via Mimikatz modules Indicator Removal on Host TTP
Suspicious Event Log Service Behavior Clear Windows Event Logs TTP
Suspicious wevtutil Usage Clear Windows Event Logs TTP
USN Journal Deletion Indicator Removal on Host TTP
WevtUtil Usage To Clear Logs Clear Windows Event Logs TTP
Wevtutil Usage To Disable Logs Clear Windows Event Logs TTP
Windows Event Log Cleared Clear Windows Event Logs TTP

Reference

source | version: 2