Overview
This guide contains helpful tips for investigating “Clearing of Windows Event Log” findings. Clearing Windows event logs can be an indication that a malicious actor is attempting to remove evidence of their actions and cover their tracks. This detection is triggered when Windows logs include event ID 104, indicating that the log file was cleared.
Using report builder to investigate surrounding activity on the device
Reference: See Using the Report Builder for more information on building reports.
To investigate the activity that led to the “Clearing of Windows Event Log” finding, build a report in Report Builder and consider the following:
- Which logs were cleared? Review the
channel_namefield. - Who cleared those logs? Review the
subject_account_name field. - Is that log channel from
channel_nameconfigured to be cleared automatically? -
What processes were running at the time? Review the
process_nameandparent_process_namefields. - What commands were executed around the time of this event? Review the
commandfield. - Are there any scheduled tasks configured to clear the log?
To build a report and review surrounding events, do the following:
- In the finding, locate the device’s name in the
devnamefield, which you will use to filter your report in later steps. - Keeping your finding tab open, open another browser window and navigate to Reporting > Report Builder.
- Set Time Range to include the time of the activity that you need to investigate.
- In Data Sources select Microsoft Windows.
- Click Edit Report and then Add Filter.
- Click Add Filter and then add the following filters:
- Add a filter for the device name, from the
devnamefield in the finding.
Example:devname-Equal-workstation1 - Add a filter for the Windows event IDs, from the
windows_event_idfield in the finding, which are process creation and log clearing events.
Example:windows_event_id-In-4688104
- Add a filter for the device name, from the
- Under Selected Columns, add columns to your report, such as those below, to see more information about the related processes:
devnamedevice_addressdomainuserprocess_nameprocess_idcommandparent_process_nameparent_process_idparent.cmdlinedescriptionwindows_event_idsubject_account_namechannel_name
- Click Submit to run the report.
Adding detection filters
If the log channel name in the finding is expected to be regularly cleared, such as by the SYSTEM account, a filter similar to the example below may be added to prevent future findings.
Example: Excluding a specific channel name on a desired device being cleared by a specified account:
channel_name - Equal - Log_channel1
ANDsubject_account_name - Equal - SYSTEM
ANDdevname - Equal - Workstation1