Name:Windows Event Log Cleared id:ad517544-aff9-4c96-bd99-d6eb43bfbb6a version:11 date:2024-11-28 author:Rico Valdez, Michael Haag, Splunk status:production type:TTP Description:The following analytic detects the clearing of Windows event logs by identifying Windows Security Event ID 1102 or System log event 104. This detection leverages Windows event logs to monitor for log clearing activities. Such behavior is significant as it may indicate an attempt to cover tracks after malicious activities. If confirmed malicious, this action could hinder forensic investigations and allow attackers to persist undetected, making it crucial to investigate further and correlate with other alerts and data sources. Data_source:
-Windows Event Log Security 1102
-Windows Event Log System 104
search:(`wineventlog_security` EventCode=1102) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by dest object EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. known_false_positives:It is possible that these logs may be legitimately cleared by Administrators. Filter as needed. References: -https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102 -https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads -https://attack.mitre.org/techniques/T1070/001/ -https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'ShrinkLocker' - 'Windows Log Manipulation' - 'Ransomware' - 'CISA AA22-264A' - 'Compromised Windows Host' - 'Clop Ransomware' asset_type:Endpoint confidence:100 impact:70 message:Windows $object$ cleared on $dest$ via EventCode $EventCode$ mitre_attack_id: - 'T1070' - 'T1070.001' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'dest' risk_score:70 security_domain:endpoint
