In the world of cybersecurity, event logs form the cornerstone of threat detection within SIEM (Security Information and Event Management) systems. But how effectively does your Security Operations Center (SOC) identify tampered event logs? This article explores SOC testing within your existing SIEM or during a POC (Proof of Concept).
Understanding Conventional Practices
The conventional practice of deleting event logs via the event viewer is widely understood. However, attackers often exploit less apparent methods, making it essential to explore how to assess your SOC’s readiness to catch unconventional deletion techniques, ensuring a more robust defense.
Not Just in Domain Controllers
Most of the attack stages will not be in the Domain Controllers (DC). They can be in any computer in the network. Actually, if you get an alert “Security Event Log Cleared in the Domain Controller” it’s too late – GAME OVER. The attacker has full control of your network.
To identify this activity, we must recognize it in any computer in the network and alert about it in the early stage of the attack. Here are a few different ways to clear the event logs, and It is a good idea to test your SOC reaction to them:
To clear the event logs using the Event Viewer GUI:
- Open Event Viewer on your local computer.
- Expand the Windows Logs category.
- Right-click the log that you want to clear and select Clear Log.
- Delete the Security Logs.
- Delete Any other Logs.
- Click Clear in the confirmation dialog box.
To clear the event logs using methods other than the Event Viewer GUI:
An average attacker will not use the GUI to delete their trail from the Event Viewer, and automation processes (like malware) will not use the GUI to delete traces from the Event Viewer.
The common way of clearing the event logs will be without the GUI.
Most of these methods need Local Admin privilege (How to get Local Admin rights and identify it in your SIEM will be published later on).
If you don’t have the necessary privileges, even an attempt to clear the event logs is a sign that you are at risk and need to investigate.
Command Line (CMD):
- Open a command prompt on your computer (Need Local Admin Privilege to do it without access denied).
- Type one of the following commands and press Enter:
wevtutil cl Application
wevtutil cl Microsoft-Windows-PowerShell/Operational
PowerShell:
- Open Powershell on your computer (Need Local Admin Privilege to do it without access denied).
- Type one of the following commands and press Enter:
Clear-EventLog -LogName Application
Clear-EventLog -LogName “Windows PowerShell”
Delete EVXT files:
- Delete any of the files located under folder `C:\Windows\System32\winevt\Logs` on your computer.
- You can use Powershell command to delete those file:
Remove-Item -Path “C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx”
For some files, you will get a message like:
Remove-Item: The process cannot access the file ‘C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx’ because it is being used by another process.
Overcoming Limitations:
One way to overcome this is to stop the Windows Event Logs service. (This is also an event that needs to be alerted by the SIEM/SOC).
Other ways:
There are other ways we didn’t cover here that an attacker can eliminate his traces (e.g., from the registry). We will cover additional methods in:
Test Your SOC – Detect Event Log Deletions – Part II – Advanced
To receive “Test your SOC” directly to your mail: Click Here.
Conclusion:
If you are aware of alternative methods for log deletion, kindly inform us, and we will develop detection mechanisms for them.
Discovered Limitations in Your SIEM? Left Wanting More?
Schedule a call directly with our experts: Click Here.
