Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Очистка журналов событий Windows
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Очистка журналов событий Windo...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Indicator Removal:  Очистка журналов событий Windows

ID Название
.001 Очистка журналов событий Windows
.002 Очистка системных журналов Linux или Mac
.003 Очистка истории команд
.004 Удаление файлов
.005 Удаление подключений к общим сетевым ресурсам
.006 Изменение временных меток
.007 Очистка истории сетевых соединений и конфигураций
.008 Очистка почтового ящика
.009 Удаление индикаторов компрометации
.010 Relocate Malware

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. With administrator privileges, the event logs can be cleared with the following utility commands: * wevtutil cl system * wevtutil cl application * wevtutil cl security These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging) Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.

ID: T1070.001
Относится к технике:  T1070
Тактика(-и): Defense Evasion
Платформы: Windows
Источники данных: Command: Command Execution, File: File Deletion, Process: OS API Execution, Process: Process Creation
Версия: 1.4
Дата создания: 28 Jan 2020
Последнее изменение: 16 Apr 2024

Примеры процедур
Название Описание
Meteor

Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.(Citation: Check Point Meteor Aug 2021)
FIN8

FIN8 has cleared logs during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
SynAck

SynAck clears event logs.(Citation: SecureList SynAck Doppelgänging May 2018)
NotPetya

NotPetya uses wevtutil to clear the Windows event logs.(Citation: Talos Nyetya June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Mafalda

Mafalda can delete Windows Event logs by invoking the `OpenEventLogW` and `ClearEventLogW` functions.(Citation: SentinelLabs Metador Sept 2022)
Volt Typhoon

Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of intrusion activity.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
Wevtutil

Wevtutil can be used to clear system and security event logs from the system.(Citation: Wevtutil Microsoft Documentation)(Citation: Crowdstrike DNC June 2016)
Chimera

Chimera has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021)
Aquatic Panda

Aquatic Panda clears Windows Event Logs following activity to evade defenses.(Citation: Crowdstrike HuntReport 2022)
APT28

APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.(Citation: Crowdstrike DNC June 2016)(Citation: DOJ GRU Indictment Jul 2018)
APT41

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.(Citation: FireEye APT41 Aug 2019)
Lucifer

Lucifer can clear and remove event logs.(Citation: Unit 42 Lucifer June 2020)
Olympic Destroyer

Olympic Destroyer will attempt to clear the System and Security event logs using wevtutil.(Citation: Talos Olympic Destroyer 2018)
Indrik Spider

Indrik Spider has used Cobalt Strike to empty log files.(Citation: Symantec WastedLocker June 2020) Additionally, Indrik Spider has cleared all event logs using `wevutil`.(Citation: Mandiant_UNC2165)

Dragonfly 2.0

Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
APT38

APT38 clears Window Event logs and Sysmon logs from the system.(Citation: FireEye APT38 Oct 2018)
Dragonfly

Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)
FinFisher

FinFisher clears the system event logs using OpenEventLog/ClearEventLog APIs .(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
BlackCat

BlackCat can clear Windows event logs using `wevtutil.exe`.(Citation: Microsoft BlackCat Jun 2022)
ZxShell

ZxShell has a command to clear system event logs.(Citation: Talos ZxShell Oct 2014)

HermeticWizard

HermeticWizard has the ability to use `wevtutil cl system` to clear event logs.(Citation: ESET Hermetic Wizard March 2022)
APT32

APT32 has cleared select event log entries.(Citation: FireEye APT32 May 2017)
KillDisk

KillDisk deletes Application, Security, Setup, and System Windows Event Logs.(Citation: ESEST Black Energy Jan 2016)
FIN5

FIN5 has cleared event logs from victims.(Citation: Mandiant FIN5 GrrCON Oct 2016)
gh0st RAT

gh0st RAT is able to wipe event logs.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019)
Hydraq

Hydraq creates a backdoor through which remote attackers can clear all system event logs.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)
MultiLayer Wiper

MultiLayer Wiper removes Windows event logs during execution.(Citation: Unit42 Agrius 2023)
DUSTTRAP

DUSTTRAP can delete infected system log information.(Citation: Google Cloud APT41 2024)
Apostle

Apostle will attempt to delete all event logs on a victim machine following file wipe activity.(Citation: SentinelOne Agrius 2021)
Pupy

Pupy has a module to clear event logs with PowerShell.(Citation: GitHub Pupy)
RunningRAT

RunningRAT contains code to clear event logs.(Citation: McAfee Gold Dragon)
BlackEnergy

The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.(Citation: ESEST Black Energy Jan 2016)

During Operation Wocao, the threat actors deleted all Windows system and security event logs using `/Q /c wevtutil cl system` and `/Q /c wevtutil cl security`.(Citation: FoxIT Wocao December 2019)
Operation Wocao

Operation Wocao has deleted Windows Event Logs to hinder forensic investigation.(Citation: FoxIT Wocao December 2019)
HermeticWiper

HermeticWiper can overwrite the `C:\Windows\System32\winevt\Logs` file on a targeted system.(Citation: ESET Hermetic Wizard March 2022)
Play

Play has used tools to remove log files on targeted systems.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Контрмеры
Контрмера Описание
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Remote Data Storage

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.
Encrypt Sensitive Information

Protect sensitive information with strong encryption.
Indicator Removal on Host Mitigation

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

Обнаружение

Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or PowerShell (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: "The audit log was cleared").

Ссылки

  1. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.
  5. Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018.
  6. Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018.
  7. Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
  8. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  9. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  10. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  11. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  12. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  13. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  14. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  15. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  16. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
  17. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  18. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  19. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  20. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  21. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  22. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  23. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  24. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  25. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  26. FinFisher. (n.d.). Retrieved September 12, 2024.
  27. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  28. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  29. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  30. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  31. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  32. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
  33. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  34. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  35. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  36. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  37. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  38. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  39. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  40. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  41. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  42. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  43. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  44. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  45. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.