Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
With administrator privileges, the event logs can be cleared with the following utility commands:
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.
Detection of Event Log Clearing on Windows via Behavioral Chain
Restrict File and Directory Permissions: Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.
Enforce Least Privilege Permissions:
Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.
Harden File Shares:
Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access.
On Linux, apply:
chmod 750 /etc/sensitive.conf
chown root:admin /etc/sensitive.conf
File Integrity Monitoring (FIM):
Audit File System Access:
Restrict Startup Directories:
C:\ProgramData\Microsoft\Windows\Start Menu.Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.
icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)Flsattr or auditd.Remote Data Storage: Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data. This mitigation can be implemented through the following measures:
Centralized Log Management:
sudo auditd | tee /var/log/audit/audit.log | nc <remote-log-server> 514Remote File Storage Solutions:
Intrusion Detection Log Forwarding:
Immutable Backup Configurations:
Data Encryption:
Encrypt Sensitive Information: Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:
Encrypt Data at Rest:
Encrypt Data in Transit:
Encrypt Backups:
Encrypt Application Secrets:
Database Encryption: