{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/event-logging/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows Event Log"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","event-logging"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe Windows Event Log service is a critical component for security monitoring and incident investigation. Attackers often disable or manipulate these logs to cover their tracks and hinder forensic analysis. Detecting the shutdown of the Windows Event Log service is crucial as it can indicate malicious activity, such as attempts to disable logging or cover tracks after an intrusion. Event ID 1100 in the Windows Security event log signifies that the event logging service has stopped. While legitimate system shutdowns can trigger this event, unexpected or unscheduled shutdowns should be investigated. This detection focuses on identifying instances where the service is stopped, potentially indicating malicious intent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain administrative access to the system.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker attempts to disable or manipulate Windows Event Logs to evade detection.\u003c/li\u003e\n\u003cli\u003eService Stop: The attacker uses tools or commands to stop the Windows Event Log service (EventLog).\u003c/li\u003e\n\u003cli\u003eEvent ID 1100 Generated: Windows generates Event ID 1100 in the Security log, indicating the service has stopped.\u003c/li\u003e\n\u003cli\u003eMalicious Activity: With logging disabled, the attacker performs malicious activities, such as installing malware, exfiltrating data, or lateral movement.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence mechanisms to maintain access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of the Windows Event Log service allows attackers to operate undetected, making incident response and forensic analysis significantly more challenging. This can lead to prolonged dwell time, increased data exfiltration, and greater overall damage to the organization. The absence of event logs hinders the ability to trace attacker activities, understand the scope of the breach, and implement effective remediation measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Event Log collection and ensure that Security event logs are being forwarded to a central logging server for analysis (Windows Event Log Security 1100).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect instances of Event ID 1100 in the Windows Security event log and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of Event ID 1100 promptly to determine if the shutdown of the Event Log service was authorized or malicious.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring and alerting for suspicious service control operations on critical systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-windows-event-logging-shutdown/","summary":"Detection of the Windows Event Log service shutdown, indicated by Event ID 1100, which can signify attempts to evade detection by disabling logging.","title":"Windows Event Logging Service Shutdown Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-windows-event-logging-shutdown/"}],"language":"en","title":"CraftedSignal Threat Feed — Event-Logging","version":"https://jsonfeed.org/version/1.1"}