One of the telltale signs that you might have a nefarious entity lurking around your network could happen without even knowing it. Some Hacker groups tend to cover their tracks after they perform a payload. One way bad actors can clean up after themselves is by clearing the security event logs for the systems they are working on. Having the means to alert on whenever this action happens is vital to ensure security forensics is intact and a complete audit trail. We will cover some of the different ways Windows security event logs can be cleared and review an ArcSight rule to detect or alert on this activity.
How Hackers Clear Security Event Logs
The clearing of Security event logs is not something new; in the industry, it is commonly referred to as “Count-Incident Response” or the ability to clean up after an attack essentially. Microsoft security events have two principal identifying event codes that are always triggered when logs are cleared. These event codes are 517 and 1102. As you will see in the ArcSight search string below, by simply filtering for those two event codes, you should be able to detect any activity related to the clearing of security events.
Another method to see attempts made would involve searching for the tools or commands used to act as clearing logs. This is an excellent prevention tactic to see if there is anyone on your network trying it. One typical utility command used would be the “wevtutil” command. The execution of it would be as follows:
- “Wevtutil cl security”
Other standard tools include event view and PowerShell that both have mechanisms to clear security event logs on a system.
List of threat actors that are known to clear security logs
Being able to detect this event is just the first step. Now that you have a target in your sights, you need to know what type of threat you are dealing with. Below are some of the top threat actors known for having this behavior during or post-compromise.
- APT (28, 32, 38, 41)
- DragonFly 2.0
- FIN (5 and 8)
- Gh0st RAT
- Olympic Destroyer
It is crucial to understand how each of these threat actors operates to know precisely when and how they go about clearing Security event logs. For example, the APT groups are known to use the “Wevtutil” command but other groups like FinFisher, utilize APIs like the OpenEventLog. A good combination of detection and investigation is still required to identify the target correctly and stop any ongoing or persistent threats that may be occurring.
How to Detect Cleared logs in ArcSight
If you are a user of the ArcSight SIEM platform, the following search query can be directly used to detect event IDs 517 and 1102. It is essential to be mindful of how you are receiving your Microsoft security event logs, as the event fields may slightly differ from what is depicted below. For example, if “externalid” doesn’t work, try looking for event code or “eventid” instead. Lastly, you will first want to find the field that displays the command line sequence. These are usually listed as ether message, description, action, or command fields. Once you have found the correct field, go ahead and add an “AND” statement to the search below as follows.”
AND message = “wevtutil*”
This will include any events with the wevtutil command in their message field (as noted by the * wildcard).
(deviceVendor = "Microsoft" AND deviceProduct = "Microsoft Windows" AND externalId = 517 OR externalId = 1102)
Security detection and response is a huge undertaking. It is vital to consistently learn and apply learnings to strengthen the overall security of any enterprise.