Account Management Events
Event Log Manipulation Detection: Safeguarding Critical Evidence
Event logs are essential for monitoring and investigating system and security incidents. However, attackers may attempt to clear or disable logs to hide their tracks and evade detection. This guide highlights key event IDs and detection strategies to identify log manipulation attempts effectively.
Key Event IDs for Event Log Manipulation
1. Event ID 1102: Security Log Cleared
Log Location: Security Logs
Details:
Triggered when the Security log is cleared.
Captures the account responsible for clearing the logs.
Use Case:
Detect log-clearing attempts, especially if the action originates from a compromised or newly created account.
Example: A malicious actor clears the Security log to cover privilege escalation activities.
Investigation:
Identify the user account responsible for the action.
Correlate this event with other logs, such as account creation or privilege escalation events.
2. Event ID 104: Any Log Cleared
Log Location: System Logs
Details:
Triggered when any log, except the Security log, is cleared.
Specifies the log type (e.g., System, PowerShell, Application).
Use Case:
Track log-clearing activity across non-Security logs, such as PowerShell or Application logs.
Example: An attacker clears PowerShell Operational Logs to hide traces of executed scripts.
Investigation:
Determine the specific log cleared.
Analyze preceding events for signs of script execution or system changes.
3. Event ID 1100: Event Logging Disabled
Log Location: Security Logs
Details:
Logged when the Event Log service is manually stopped.
Often occurs just before event logging is fully disabled.
Use Case:
Detect critical events indicating logging service stoppage, a strong indicator of malicious intent.
Example: An attacker disables logging to prevent further evidence collection during their attack.
Investigation:
Identify the account and time associated with stopping the Event Log service.
Investigate actions performed immediately before and after the service was stopped.
Why Attackers Clear or Disable Logs
1. Covering Tracks
Objective: Erase evidence of malicious activities (e.g., privilege escalation, malware execution).
2. Disrupting Security Monitoring
Objective: Disable or interfere with SIEMs and monitoring systems.
3. Avoiding Detection
Objective: Bypass detection tools by removing incriminating logs.
Mitigations and Considerations
1. Privilege Requirements
Clearing logs or disabling event logging requires administrative privileges.
Detection Opportunity: Monitor for privilege escalation events (e.g., Event ID 4672 for special privileges).
2. SIEM Integration
Send critical event logs (IDs 1102, 104, 1100) to a SIEM for real-time correlation and alerting.
3. Behavioral Analysis
Frequent log clearing or service disablement is uncommon.
Set alerts for recurring events involving these actions.
4. Enforce Logging Policies
Use Group Policy Objects (GPOs) to prevent unauthorized changes to logging settings.
Ensure critical event logs are forwarded to secure remote storage for redundancy.
Example Detection Workflow
SIEM Alert:
An alert is triggered for Event ID 1102 (Security log cleared).
Investigate User Activity:
Review the account and preceding events involving the user.
Look for any unusual privilege escalation (e.g., Event ID 4672).
Correlate Events:
Check for Event ID 104 or 1100 within the same timeframe.
Investigate preceding activities, such as PowerShell script execution or task creation.
Respond:
Isolate the compromised system.
Review other endpoints for similar patterns.
Initiate a forensic investigation.
Key Points
Detecting and responding to event log manipulation is critical to maintaining the integrity of forensic investigations. By focusing on key event IDs (1102, 104, 1100) and implementing proactive monitoring measures, organizations can ensure that attackers are unable to effectively hide their tracks or disrupt security monitoring efforts.
Last updated