[New Rule] Clearing Windows Event Logs

[janniten]

Description

There are (to my knowledge) 3 ways of clearing the Windows Event logs:

• Using powershell:
  powershell.exe Clear-EventLog -LogName application, system -confirm

• Using webutil:
  WevtUtil.exe cl "Security"

• Using the event viewer:
  

I've been tested the rule for the 3 ways in a 2012 and 2016 DC and here the results:

• For both webutil and powershell methods the process.args field is not completed, so there is no way to know which action (in this case Clear-EventLog for powershell and cl for wevutil) has been performed
  After the tests:
  

When clearing from event viewer no process related data is generated, but Event logs are cleared.

In the 3 cases the event 1102 is generated. The event is ECS compliant and my own rule works for the 3 cases using this query:

event.action: "audit-log-cleared"
or works also querying the specific event
event.code: "1102"

There has been a discussion about a event category when configurations or audit are changed/modified and maybe in the future a more general query can be done (elastic/ecs#963)

Is there any reason why the clearing of event logs is not detected by the appearance of event 1102 and only by process and its arguments?
Also there is one open improvement, related to this rule (#392) but in that case is clear that proccess.args has data...
Am I missing something?
Thank you

[Samirbous]

@janniten thanks for opening this issue, in your screenshot I see eventid 4688, is the commandline auditing enabled or not?

It's good idea to use 1102 EventID to complement, but inconvenience of this approach is one don't know which process + cmdline did the deletion action and hence can't easily guess the context (most of time the GUI way is legit and related to SysAdmin activity).

[janniten]

Hi @Samirbous, My fault, the setting Include command line in process creation events was not configured in my local policy. Sorry!. Now I can see the parameters about log clearing.

I still believe that use the event 1102 (security) and 104 (for application, system and other logs) its a good complement in this cases:

• If you don't have the cmd line in process creation (like I have before) you can still know that the log was cleared using wevutil or powershell correlating by winllog.logon.id from event 1102/104 and winlog,logon.id from event 4688
• you can detect when the clear was made from the GUI, either was made by a legal admin or not. In some cases when you are under strong security regulations (like SOX or PCI) you need to monitor the admins that close in case of auditory logs.
  The Defense Evasion is (in my opinion) not the only interest for this DR.

Thank you!
Regards
Anna

[Samirbous]

Ho @janniten yes all good points especially regulation and compliance requirements. because the existing rule is using process execution data you can create a "New Rule" Issue and PR for the same using windows event logs.