-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2016-04-002.yaml
50 lines (50 loc) · 2.58 KB
/
CAR-2016-04-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
title: User Activity from Clearing Event Logs
submission_date: 2016/04/14
information_domain: Host
platforms:
- Windows
- Linux
- macOS
subtypes:
- Event Records
analytic_types:
- Anomaly
contributors:
- MITRE/NSA
id: CAR-2016-04-002
description: 'It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a "Clear Event Log" is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.'
coverage:
- technique: T1070
tactics:
- TA0005
subtechniques:
- T1070.001
coverage: Moderate
implementations:
- description: 'When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For Security logs, its event code 1100 and 1102. For System logs, it is event code 104.'
code: |-
([log_name] == "Security" and [event_code] in [1100, 1102]) or
([log_name] == "System" and [event_code] == 104)
type: pseudocode
- name: Sigma rule (System log)
description: '[Sigma version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_susp_eventlog_cleared.yml) of the above pseudocode, focusing only on the System log.'
type: Sigma
- name: Sigma rule (Security log)
description: '[Sigma version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml) of the above pseudocode, focusing only on the Security log.'
type: Sigma
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="System" event_id=104))
type: LogPoint
data_mode: LogPoint native
unit_tests:
- configurations:
- Windows 7
description: You can use the powershell cmdlet “Clear-Eventlog” to clear event logs. Open Powershell as administrator and execute Clear-Eventlog `Clear-EventLog [-LogName] \<String[]\>`. [Additional information here](https://technet.microsoft.com/en-us/library/hh849789.aspx).
commands:
- Clear-Eventlog Security
- Clear-Eventlog System
d3fend_mappings:
- iri: d3f:RPCTrafficAnalysis
id: D3-RTA
label: RPC Traffic Analysis