Event Log Manipulation

Event Log Manipulation Detection: Ensuring Evidence Integrity

Event logs are essential for tracking system and security activities, providing vital evidence for forensic investigations. However, attackers often attempt to manipulate these logs by clearing or disabling them to cover their tracks. This guide outlines the key event IDs for detecting such manipulations and provides strategies to mitigate these threats.

Key Event IDs for Detecting Log Manipulation

1. Event ID 1102: Security Log Cleared

  • Log Location: Security Logs

  • Details:

    • Triggered when the Security log is cleared.

    • Records the user account that initiated the action.

  • Use Case:

    • Detect potential compromise or malicious activity by tracking accounts that clear security logs.

Example:

A newly created or compromised account clears the security logs after performing malicious actions to erase evidence.

2. Event ID 104: Any Log Cleared

  • Log Location: System Logs

  • Details:

    • Triggered when any log (except Security) is cleared.

    • Specifies which log (e.g., System, PowerShell) was cleared.

  • Use Case:

    • Monitor for suspicious clearing of logs such as PowerShell Operational Logs, which may indicate the use of malicious scripts.

Example:

An attacker clears the System Logs to hide traces of abnormal system behavior or the use of tools like Task Scheduler.

3. Event ID 1100: Event Logging Disabled

  • Log Location: Security Logs

  • Details:

    • Triggered when the Event Log service is manually stopped.

    • Captures the account that disabled logging.

  • Use Case:

    • Detect high-priority incidents where logging services are disabled, potentially indicating the start of a stealthy attack phase.

Example:

An attacker disables event logging to prevent security tools from capturing their activities.

Why Attackers Manipulate Event Logs

1. Covering Tracks

  • Goal: Erase evidence of malicious activities such as privilege escalation, lateral movement, or data exfiltration.

2. Disrupting Security Monitoring

  • Goal: Disable or interfere with SIEMs and monitoring tools, preventing automated detection and alerting.

3. Avoiding Detection

  • Goal: Prevent the generation of alerts by removing critical logs or stopping the logging service.

Detection and Mitigation Strategies

1. Monitor Key Event IDs

  • Set up alerts for the following event IDs:

    • 1102: Security Log Cleared.

    • 104: Any Log Cleared.

    • 1100: Event Logging Disabled.

2. Privilege Escalation Detection

  • Clearing logs or disabling event logging requires administrative privileges.

    • Monitor Event ID 4672 (Special Privilege Assignments) to detect accounts with elevated privileges.

3. SIEM Integration

  • Integrate logs into a SIEM solution to:

    • Correlate events in real time.

    • Generate alerts for log-clearing and service-disabling actions.

4. Behavioral Analysis

  • Baseline Logging Behavior:

    • Frequent log clearing or disabling logging services is uncommon and should raise red flags.

    • Analyze log-clearing patterns to identify anomalies.

5. Enforce Logging Policies via GPOs

  • Use Group Policy Objects (GPOs) to ensure critical event logging is always enabled.

  • Forward logs to a remote server to preserve copies even if local logs are deleted.

6. Regular Audit and Review

  • Conduct regular audits of log files to ensure integrity.

  • Review log retention policies to prevent accidental or malicious deletion.

Example Detection Workflow

  1. SIEM Alert:

    • An alert is triggered for Event ID 1102 (Security Log Cleared).

  2. Immediate Investigation:

    • Review the account and time associated with the event.

    • Look for related Event IDs (e.g., 104, 1100) indicating broader log manipulation or service stoppage.

  3. Correlate with Other Events:

    • Check for privilege escalation (Event ID 4672) or suspicious activity just before the logs were cleared.

  4. Response:

    • Isolate the system.

    • Disable the compromised account.

    • Preserve forensic evidence by securing a remote copy of logs.

Key Points

Event log manipulation is a clear indicator of malicious activity aimed at hiding traces of an attack. By focusing on critical event IDs like 1102, 104, and 1100, and implementing robust monitoring and alerting strategies, organizations can detect and respond to log manipulation attempts quickly, ensuring the integrity of their forensic investigations.

PreviousAccount Management EventsNextWindows Firewall Event Logs

Last updated