Skip to content

[New Rule] Clearing Windows Security Logs #529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 20 commits into from
Jan 12, 2021
Merged

[New Rule] Clearing Windows Security Logs #529

Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
2daae16
[New Rule] Clearing Windows Security Logs
janniten Nov 12, 2020
ec8895f
Fix Date Format Error
janniten Nov 16, 2020
fedefea
Merge branch 'main' into windows-clear-security-log
threat-punter Nov 19, 2020
68b1fad
Merge branch 'main' into windows-clear-security-log
brokensound77 Dec 9, 2020
34b5b69
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
janniten Dec 9, 2020
470eb52
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
janniten Dec 9, 2020
d9bf610
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
janniten Dec 9, 2020
be4d4a2
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
janniten Dec 9, 2020
c3e27bd
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
janniten Dec 9, 2020
721badc
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
janniten Dec 9, 2020
f1f8b92
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
janniten Dec 9, 2020
c59dc4b
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
janniten Dec 9, 2020
7336873
Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
janniten Dec 9, 2020
eddb2e4
Merge branch 'main' into windows-clear-security-log
brokensound77 Dec 9, 2020
7370664
Add Elastic tag
threat-punter Dec 9, 2020
a84c17a
Merge branch 'main' into windows-clear-security-log
threat-punter Jan 4, 2021
04ed9ed
update maturity
threat-punter Jan 4, 2021
8df0879
Add Elastic to list of authors
threat-punter Jan 11, 2021
cfe60fd
bump updated_date
threat-punter Jan 11, 2021
087fa79
Merge branch 'main' into windows-clear-security-log
threat-punter Jan 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions rules/windows/defense_evasion_clearing_windows_security_logs.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
[metadata]
creation_date = "2020/11/12"
maturity = "production"
updated_date = "2021/01/11"

[rule]
author = ["Elastic", "Anabella Cristaldi"]
description = """
Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade
detection or destroy forensic evidence on a system.
"""
from = "now-9m"
index = ["winlogbeat-*"]
language = "kuery"
license = "Elastic License"
name = "Windows Event Logs Cleared"
risk_score = 21
rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
type = "query"

query = '''
event.action:("audit-log-cleared" or "Log clear")
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal on Host"
reference = "https://attack.mitre.org/techniques/T1070/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"