Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when critical Windows event logs are cleared.

Strategy

This rule monitors for event ID 104 from the Microsoft-Windows-Eventlog provider, which indicates that an event log has been cleared. The query specifically focuses on security-relevant logs including Security, System, PowerShell/Operational, PowerShellCore/Operational, Sysmon/Operational, and Windows PowerShell.

Event logs record crucial system and security activities that are vital for incident response and forensic analysis. The @Event.EventData.Data.Channel field identifies the specific log that was cleared. While log clearing can occasionally occur during routine maintenance, the clearing of certain logs is highly suspicious and rarely performed in normal operations.

Attackers frequently clear event logs to remove evidence of their intrusion, lateral movement, privilege escalation, or other malicious activities. This action significantly hampers security investigations and represents a serious attempt to avoid detection.

Triage & Response

• Identify the specific log that was cleared on {{host}} and the user account that performed the action.
• Determine if the account that cleared the logs has legitimate administrative permissions.
• Review any available logs before the clearing event for suspicious activities.
• Examine authentication logs for unusual login patterns or unauthorized access.
• Look for other anti-forensic techniques being used, such as disabling auditing or tampering with other logs.
• Search for process execution events that might indicate the presence of log-clearing tools.
• Assess whether the log clearing was part of documented maintenance procedures.
• Reset credentials for any accounts involved in unauthorized log clearing.