Windows Event Log Clearing Attempt Detected
Adversaries clear Windows event logs to evade detection and destroy forensic evidence, breaking SIEM detections and covering their tracks.
Attackers often attempt to clear Windows event logs to evade detection and destroy forensic evidence. This technique is used to break SIEM detections, cover tracks, and slow down incident response. Windows event logs are a fundamental data source for security monitoring, forensics, and incident response, making their integrity crucial for defenders. This rule focuses on detecting clear actions on the Security and System event logs, providing an alert when such activity is observed. This behavior is often indicative of post-compromise activity and an attempt to hide malicious actions already taken on the system.
Attack Chain
- The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
- The attacker escalates privileges to gain administrative access required to clear logs.
- The attacker uses a command-line tool such as
wevtutilor PowerShell to clear the Security or System event logs. - The system records an event with the event ID indicating that the event logs have been cleared (event.action:"audit-log-cleared" or "Log clear").
- The event is logged in the Security or System channel (winlog.channel: ("Security" or "System")).
- Security monitoring tools ingest the event data.
- The detection rule identifies the log clearing activity based on the event data.
- The attacker continues with their objectives, now with reduced chances of being detected through standard log analysis.
Impact
Successful clearing of Windows event logs can severely hinder incident response efforts. By removing critical forensic data, attackers can obscure their activities, making it difficult to determine the scope and nature of the compromise. This can lead to prolonged dwell time, increased data exfiltration, and greater overall damage. The absence of event logs prevents defenders from identifying the initial attack vector, lateral movement, and other malicious actions performed on the system.
Recommendation
- Deploy the Sigma rule "Windows Event Logs Cleared" to your SIEM to detect log clearing attempts based on
event.actionandwinlog.channel. - Investigate any alerts generated by the Sigma rule, focusing on the process execution chain and user accounts involved, as described in the rule's
notesection. - Enable and monitor Windows Security and System Event Logs to ensure that log clearing attempts are captured.
- Review and harden access controls to prevent unauthorized users from clearing event logs.
- Implement a log forwarding solution to a secure, centralized logging server to preserve logs even if they are cleared on the endpoint.
Detection coverage 3
Windows Event Logs Cleared
lowDetects attempts to clear Windows event log stores.
Windows Event Logs Cleared - Wevtutil
mediumDetects attempts to clear Windows event logs using Wevtutil.
Windows Event Logs Cleared - PowerShell Clear-EventLog
mediumDetects attempts to clear Windows event logs using PowerShell Clear-EventLog cmdlet.
Detection queries are available on the platform. Get full rules →