**WARNING: THIS PLAN WILL DELETE YOUR WINDOWS EVENT LOGS AND CREATE A BACKUP COPY. USE CAUTION**
This micro emulation plan targets malicious activity associated with T1070.001 Indicator Removal: Clear Windows Event Logs. Adversaries and malware often target clearing and/or disabling the native logging provided by Windows events in order to evade detections, while also inhibiting response and recovery from breaches.
You can access the binary for this micro plan as part of the latest release.
Table Of Contents:
What are we doing? This plan provides an easy-to-execute tool that:
- Saves a copy of Windows event log(s) (
security,system, and/orapplication) - Executes events that will generate relevant log entries (e.g., adding a user, starting then stopping a service)
- Clears the relevant log(s)
Instruction for restoring saved logs will be displayed in an popup window.
Why should you care? A wide variety of adversaries and malware target clearing the event logging provided by Windows events. This is often combined with T1562.002 Impair Defenses: Disable Windows Event Logging as well as tampering with other security tools discovered in victim environments (e.g., T1562.001 Impair Defenses: Disable or Modify Tools).
Clearing event logs is especially prevalent given this telemetry is often enabled and generated natively by the OS, but is also commonly consumed by other defensive tools/sensors (e.g., EDR) as well as utilized by incident and forensic investigators.
This plan has been compiled into an easy-to-execute executable. The source code for this plan is also provided if you wish to customize and rebuild.
The log_clearing.exe tool executes the complete emulation functionality. The tool accepts the following arguments on the command-line or can simply be executed with defaults via double-click:
-hdisplays the help menu--applicationtargets the Application log, restarting thetvnserviceservice to generate relevant events--systemtargets the System log, starting then stopping theWMPNetworkSvcservice to generate relevant events--securitytargets the Security log, adding then deleting asecretadminprivileged user to generate relevant events--no-safeexecutes the module without first backing up relevant log files
By default (no arguments) the tool targets all 3 logs.
NOTE: The executable must be run as administrator!
During execution, a popup window will be displayed with instruction to restore log entries from the generated backup files.
Monitor processes and executed commands for potential attempts to tamper with or clear logs, such as execution of the wevtutil utility. PowerShell also has a Clear-EventLog cmdlet.
Windows will also generate an event (Event ID 1102: "The audit log was cleared) when the Security log is cleared.
Image source: Microsoft Security auditing
Baselining event log size/volume may also help highlight potential anomalies, such as the absence of events in logs.
Consider customizing security access rights to Windows events (especially on sensitive or otherwise high-risk servers). Specific permissions can be set to control users' ability to read, write, and clear event logs through local or Active Directory group policies.
Also consider utilizing Windows Event Forwarding (WEF) to collect events centrally off individual devices.