Were any system event logs cleared?

ID: Q1074

Approaches to Answer

• Search CrowdStrike logs for indicator removal on host [Q1074.10]
  • CrowdStrike has built-in detections for "indicator removal on host" events.
  • Tags: CrowdStrike Linux Windows macOS
• Examine Windows Event Logs for Audit Log cleared [Q1074.11]
  • Parse the Windows Security Event Log and look for "the audit log was cleared" event.
  • Tags: Windows Event Logs

Approaches

Note

There are often multiple ways to approach answering a question. This section explains the approaches considered, how they work, and any benefits or drawbacks to each. All these approaches have different pros and cons. They can be used individually or in conjunction.

Search CrowdStrike logs for indicator removal on host

🗂️ Explanation

Clearance/deletion of system logs would be recorded in CrowdStrike as a part of their "indicator removal on host" detections.

References

• https://www.crowdstrike.com/blog/tech-center/hunt-threat-activity-falcon-endpoint-protection/
• Indicator Removal on MITRE ATT&CK

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

• CrowdStrike's built-in detection for "indicator removal on host" events.

Not Covered

• CrowdStrike may not have all log clear/delete events as part of this detection.

💾 Data

The following data source(s) are needed for this approach to the question.

• CrowdStrike: PlatformEvents

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

Splunk

More information on Splunk.

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Splunk's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

Splunk-Query

1. Query searching for indicator removal on host events.
2. Type: splunk-query
3. Value: ComputerName="{hostname}" Technique="Indicator Removal on Host"

Examine Windows Event Logs for Audit Log cleared

🗂️ Explanation

On Windows systems, log clearance events for Security event log will be logged with event ID 1102. The logs contain the actor account name, domain name, logon id fields.

References

• 1102(S): The audit log was cleared.
• Indicator Removal: Clear Windows Event Logs on MITRE ATT&CK

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

• Security event log clearance events on Windows systems.

Not Covered

• If the log is deleted or otherwise altered, this event may not be logged.
• Only applies to Windows Security audit logs.

💾 Data

The following data source(s) are needed for this approach to the question.

Description

Windows Event Log files

Type

ForensicArtifact

Value

WindowsEventLogs (view on GitHub)

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

Plaso

More information on Plaso.

Recommended options:

 --parsers winevtx

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Plaso's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

OpenSearch

1. Filter the results to events containing audit log clearance.

2. OpenSearch query:

   data_type:"windows:evtx:record" event_identifier:1102 source_name:"Microsoft-Windows-Security-Auditing"