Name:Windows Event Log Cleared id:ad517544-aff9-4c96-bd99-d6eb43bfbb6a version:14 date:2025-02-10 author:Rico Valdez, Michael Haag, Splunk status:production type:TTP Description:The following analytic detects the clearing of Windows event logs by identifying Windows Security Event ID 1102 or System log event 104. This detection leverages Windows event logs to monitor for log clearing activities. Such behavior is significant as it may indicate an attempt to cover tracks after malicious activities. If confirmed malicious, this action could hinder forensic investigations and allow attackers to persist undetected, making it crucial to investigate further and correlate with other alerts and data sources. Data_source:
-Windows Event Log Security 1102
-Windows Event Log System 104
search:(`wineventlog_security` EventCode=1102) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by action app change_type dest dvc name object_attrs object_category signature signature_id src_user status subject user vendor_product object EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. known_false_positives:It is possible that these logs may be legitimately cleared by Administrators. Filter as needed. References: -https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102 -https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads -https://attack.mitre.org/techniques/T1070/001/ -https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'ShrinkLocker' - 'Windows Log Manipulation' - 'Ransomware' - 'CISA AA22-264A' - 'Compromised Windows Host' - 'Clop Ransomware' asset_type:Endpoint mitre_attack_id: - 'T1070.001' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
