Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Очистка журналов событий Windows
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Очистка журналов событий Windo...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Indicator Removal:  Очистка журналов событий Windows

ID Название
.001 Очистка журналов событий Windows
.002 Очистка системных журналов Linux или Mac
.003 Очистка истории команд
.004 Удаление файлов
.005 Удаление подключений к общим сетевым ресурсам
.006 Изменение временных меток
.007 Очистка истории сетевых соединений и конфигураций
.008 Очистка почтового ящика
.009 Удаление индикаторов компрометации
.010 Relocate Malware

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. With administrator privileges, the event logs can be cleared with the following utility commands: * wevtutil cl system * wevtutil cl application * wevtutil cl security These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging) Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.

ID: T1070.001
Относится к технике:  T1070
Тактика(-и): Defense Evasion
Платформы: Windows
Источники данных: Command: Command Execution, File: File Deletion, Process: OS API Execution, Process: Process Creation
Версия: 1.5
Дата создания: 28 Jan 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
SynAck

SynAck clears event logs.(Citation: SecureList SynAck Doppelgänging May 2018)
RansomHub

RansomHub can delete events from the Security, System, and Application logs.(Citation: Group-IB RansomHub FEB 2025)
Olympic Destroyer

Olympic Destroyer will attempt to clear the System and Security event logs using wevtutil.(Citation: Talos Olympic Destroyer 2018)
DUSTTRAP

DUSTTRAP can delete infected system log information.(Citation: Google Cloud APT41 2024)
Mafalda

Mafalda can delete Windows Event logs by invoking the `OpenEventLogW` and `ClearEventLogW` functions.(Citation: SentinelLabs Metador Sept 2022)
ShrinkLocker

ShrinkLocker calls Wevtutil to clear the Windows PowerShell and Microsoft-Windows-Powershell/Operational logs.(Citation: Kaspersky ShrinkLocker 2024)
Apostle

Apostle will attempt to delete all event logs on a victim machine following file wipe activity.(Citation: SentinelOne Agrius 2021)
BlackCat

BlackCat can clear Windows event logs using `wevtutil.exe`.(Citation: Microsoft BlackCat Jun 2022)
Lucifer

Lucifer can clear and remove event logs.(Citation: Unit 42 Lucifer June 2020)
BlackEnergy

The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.(Citation: ESEST Black Energy Jan 2016)
NotPetya

NotPetya uses wevtutil to clear the Windows event logs.(Citation: Talos Nyetya June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
RunningRAT

RunningRAT contains code to clear event logs.(Citation: McAfee Gold Dragon)
MultiLayer Wiper

MultiLayer Wiper removes Windows event logs during execution.(Citation: Unit42 Agrius 2023)
LockBit 3.0

LockBit 3.0 can delete log files on targeted systems.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)
Hydraq

Hydraq creates a backdoor through which remote attackers can clear all system event logs.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)
gh0st RAT

gh0st RAT is able to wipe event logs.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019)
HermeticWiper

HermeticWiper can overwrite the `C:\Windows\System32\winevt\Logs` file on a targeted system.(Citation: ESET Hermetic Wizard March 2022)
LockBit 2.0

LockBit 2.0 can delete log files through the use of wevtutil.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: Cybereason Lockbit 2.0)(Citation: SentinelOne LockBit 2.0)
FinFisher

FinFisher clears the system event logs using OpenEventLog/ClearEventLog APIs .(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
Pupy

Pupy has a module to clear event logs with PowerShell.(Citation: GitHub Pupy)
ZxShell

ZxShell has a command to clear system event logs.(Citation: Talos ZxShell Oct 2014)

Meteor

Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.(Citation: Check Point Meteor Aug 2021)
KillDisk

KillDisk deletes Application, Security, Setup, and System Windows Event Logs.(Citation: ESEST Black Energy Jan 2016)
Wevtutil

Wevtutil can be used to clear system and security event logs from the system.(Citation: Wevtutil Microsoft Documentation)(Citation: Crowdstrike DNC June 2016)
HermeticWizard

HermeticWizard has the ability to use `wevtutil cl system` to clear event logs.(Citation: ESET Hermetic Wizard March 2022)
APT28

APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.(Citation: Crowdstrike DNC June 2016)(Citation: DOJ GRU Indictment Jul 2018)
Operation Wocao

Operation Wocao has deleted Windows Event Logs to hinder forensic investigation.(Citation: FoxIT Wocao December 2019)
Indrik Spider

Indrik Spider has used Cobalt Strike to empty log files.(Citation: Symantec WastedLocker June 2020) Additionally, Indrik Spider has cleared all event logs using `wevutil`.(Citation: Mandiant_UNC2165)

APT38

APT38 clears Window Event logs and Sysmon logs from the system.(Citation: FireEye APT38 Oct 2018)
Dragonfly 2.0

Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
Aquatic Panda

Aquatic Panda clears Windows Event Logs following activity to evade defenses.(Citation: Crowdstrike HuntReport 2022)
APT32

APT32 has cleared select event log entries.(Citation: FireEye APT32 May 2017)
Dragonfly

Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)
Chimera

Chimera has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021)
Volt Typhoon

Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of intrusion activity.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
Play

Play has used tools to remove log files on targeted systems.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
APT41

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.(Citation: FireEye APT41 Aug 2019)
FIN8

FIN8 has cleared logs during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
HAFNIUM

HAFNIUM has cleared actor-performed actions from logs.(Citation: Microsoft Silk Typhoon MAR 2025)
FIN5

FIN5 has cleared event logs from victims.(Citation: Mandiant FIN5 GrrCON Oct 2016)

Контрмеры
Контрмера Описание
Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files. Enforce Least Privilege Permissions: - Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles. Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs. Harden File Shares: - Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows. Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access. On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf` File Integrity Monitoring (FIM): - Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions. Audit File System Access: - Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities. Restrict Startup Directories: - Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`. Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`. - On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.
Remote Data Storage

Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data. This mitigation can be implemented through the following measures: Centralized Log Management: - Configure endpoints to forward security logs to a centralized log collector or SIEM. - Use tools like Splunk Graylog, or Security Onion to aggregate and store logs. - Example command (Linux): `sudo auditd | tee /var/log/audit/audit.log | nc 514` Remote File Storage Solutions: - Utilize cloud storage solutions like AWS S3, Google Cloud Storage, or Azure Blob Storage for sensitive data. - Ensure proper encryption at rest and access control policies (IAM roles, ACLs). Intrusion Detection Log Forwarding: - Forward logs from IDS/IPS systems (e.g., Zeek/Suricata) to a remote security information system. - Example for Suricata log forwarding: `outputs: - type: syslog protocol: tls address: ` Immutable Backup Configurations: - Enable immutable storage settings for backups to prevent adversaries from modifying or deleting data. - Example: AWS S3 Object Lock. Data Encryption: - Ensure encryption for sensitive data using AES-256 at rest and TLS 1.2+ for data in transit. Tools: OpenSSL, BitLocker, LUKS for Linux.
Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures: Encrypt Data at Rest: - Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives. Encrypt Data in Transit: - Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption. Encrypt Backups: - Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud. Encrypt Application Secrets: - Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets. Database Encryption: - Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.
Indicator Removal on Host Mitigation

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

Обнаружение

Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or PowerShell (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: "The audit log was cleared").

Ссылки

  1. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  4. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  5. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  6. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  7. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
  8. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
  9. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  10. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  11. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  12. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  13. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  14. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  15. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  16. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
  17. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
  18. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  19. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  20. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  21. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  22. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  23. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  24. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  25. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  26. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  27. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  28. Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018.
  29. Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018.
  30. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
  31. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  32. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  33. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  34. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  35. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
  36. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  37. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  38. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  39. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  40. FinFisher. (n.d.). Retrieved September 12, 2024.
  41. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  42. CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025.
  43. Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
  44. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
  45. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  46. SentinelOne. (n.d.). LockBit 2.0: In-Depth Analysis, Detection, Mitigation, and Removal. Retrieved January 24, 2025.
  47. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom. Retrieved January 24, 2025.
  48. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  49. Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
  50. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  51. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  52. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  53. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  54. Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.