1. Blumira Support
  2. Using Blumira
  3. Findings

Quick Links

Investigating "Clearing of Windows Event Log" findings

Overview

This guide contains helpful tips for investigating “Clearing of Windows Event Log” findings. Clearing Windows event logs can be an indication that a malicious actor is attempting to remove evidence of their actions and cover their tracks. This detection is triggered when Windows logs include event ID 104, indicating that the log file was cleared.

Using report builder to investigate surrounding activity on the device

Reference: See Using the Report Builder for more information on building reports.

To investigate the activity that led to the “Clearing of Windows Event Log” finding, build a report in Report Builder and consider the following:

  • Which logs were cleared? Review the channel_name field.
  • Who cleared those logs? Review the subject_account_name field.
  • Is that log channel from channel_name configured to be cleared automatically?
  • What processes were running at the time? Review the process_name and parent_process_name fields.
  • What commands were executed around the time of this event? Review the command field.
  • Are there any scheduled tasks configured to clear the log?

To build a report and review surrounding events, do the following:

  1. In the finding, locate the device’s name in the devname field, which you will use to filter your report in later steps.
  2. Keeping your finding tab open, open another browser window and navigate to Reporting > Report Builder.
  3. Set Time Range to include the time of the activity that you need to investigate.
  4. In Data Sources select Microsoft Windows.
  5. Click Edit Report and then Add Filter.
  6. Click Add Filter and then add the following filters:
    1. Add a filter for the device name, from the devname field in the finding.
      Example: devname - Equal - workstation1
    2. Add a filter for the Windows event IDs, from the windows_event_id field in the finding, which are process creation and log clearing events.
      Example: windows_event_id - In - 4688 104
  7. Under Selected Columns, add columns to your report such as those below to see more information about the related processes:
    • devname
    • device_address
    • domain
    • user
    • process_name
    • process_id
    • command
    • parent_process_name
    • parent_process_id
    • parent.cmdline
    • description
    • windows_event_id
    • subject_account_name
    • channel_name
  8. Click Submit to run the report.

Adding detection filters

If the log channel name in the finding is expected to be regularly cleared, such as by the SYSTEM account, a filter similar to the example below may be added to prevent future findings.

Example: Excluding a specific channel name on a desired device being cleared by a specified account:

channel_name - Equal - Log_channel1
AND
subject_account_name - Equal - SYSTEM
AND
devname - Equal - Workstation1

 

Related Articles