Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Очистка журналов событий Windows
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Очистка журналов событий Windo...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Indicator Removal:  Очистка журналов событий Windows

ID Название
.001 Очистка журналов событий Windows
.002 Очистка системных журналов Linux или Mac
.003 Очистка истории команд
.004 Удаление файлов
.005 Удаление подключений к общим сетевым ресурсам
.006 Изменение временных меток
.007 Очистка истории сетевых соединений и конфигураций
.008 Очистка почтового ящика
.009 Удаление индикаторов компрометации

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. The event logs can be cleared with the following utility commands: * wevtutil cl system * wevtutil cl application * wevtutil cl security These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.

ID: T1070.001
Относится к технике:  T1070
Тактика(-и): Defense Evasion
Платформы: Windows
Источники данных: Command: Command Execution, File: File Deletion, Process: OS API Execution
Версия: 1.1
Дата создания: 28 Jan 2020
Последнее изменение: 20 Apr 2022

Примеры процедур
Название Описание
Meteor

Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.(Citation: Check Point Meteor Aug 2021)
FIN8

FIN8 has cleared logs during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
SynAck

SynAck clears event logs.(Citation: SecureList SynAck Doppelgänging May 2018)
NotPetya

NotPetya uses wevtutil to clear the Windows event logs.(Citation: Talos Nyetya June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Wevtutil

Wevtutil can be used to clear system and security event logs from the system.(Citation: Wevtutil Microsoft Documentation)(Citation: Crowdstrike DNC June 2016)
Chimera

Chimera has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021)
APT28

APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security.(Citation: Crowdstrike DNC June 2016)(Citation: DOJ GRU Indictment Jul 2018)
APT41

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.(Citation: FireEye APT41 Aug 2019)
Lucifer

Lucifer can clear and remove event logs.(Citation: Unit 42 Lucifer June 2020)
Olympic Destroyer

Olympic Destroyer will attempt to clear the System and Security event logs using wevtutil.(Citation: Talos Olympic Destroyer 2018)
Indrik Spider

Indrik Spider has used Cobalt Strike to empty log files.(Citation: Symantec WastedLocker June 2020)
Dragonfly 2.0

Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
APT38

APT38 clears Window Event logs and Sysmon logs from the system.(Citation: FireEye APT38 Oct 2018)
Dragonfly

Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)
FinFisher

FinFisher clears the system event logs using OpenEventLog/ClearEventLog APIs .(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
ZxShell

ZxShell has a command to clear system event logs.(Citation: Talos ZxShell Oct 2014)

HermeticWizard

HermeticWizard has the ability to use `wevtutil cl system` to clear event logs.(Citation: ESET Hermetic Wizard March 2022)
APT32

APT32 has cleared select event log entries.(Citation: FireEye APT32 May 2017)
KillDisk

KillDisk deletes Application, Security, Setup, and System Windows Event Logs.(Citation: ESEST Black Energy Jan 2016)
FIN5

FIN5 has cleared event logs from victims.(Citation: Mandiant FIN5 GrrCON Oct 2016)
gh0st RAT

gh0st RAT is able to wipe event logs.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019)
Hydraq

Hydraq creates a backdoor through which remote attackers can clear all system event logs.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)
Pupy

Pupy has a module to clear event logs with PowerShell.(Citation: GitHub Pupy)
RunningRAT

RunningRAT contains code to clear event logs.(Citation: McAfee Gold Dragon)
BlackEnergy

The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.(Citation: ESEST Black Energy Jan 2016)

During Operation Wocao, the threat actors deleted all Windows system and security event logs using `/Q /c wevtutil cl system` and `/Q /c wevtutil cl security`.(Citation: FoxIT Wocao December 2019)
Operation Wocao

Operation Wocao has deleted Windows Event Logs to hinder forensic investigation.(Citation: FoxIT Wocao December 2019)
HermeticWiper

HermeticWiper can overwrite the `C:\Windows\System32\winevt\Logs` file on a targeted system.(Citation: ESET Hermetic Wizard March 2022)

Контрмеры
Контрмера Описание
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Remote Data Storage

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.
Encrypt Sensitive Information

Protect sensitive information with strong encryption.
Indicator Removal on Host Mitigation

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

Обнаружение

Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or PowerShell (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: "The audit log was cleared").

Ссылки

  1. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.
  5. Microsoft. (n.d.). EventLog.Clear Method (). Retrieved July 2, 2018.
  6. Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018.
  7. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  8. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  9. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  10. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
  11. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  12. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  13. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  14. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  15. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  16. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  17. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  18. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  19. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  20. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  21. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  22. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  23. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  24. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  25. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  26. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  27. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
  28. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  29. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  30. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  31. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  32. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  33. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  34. FinFisher. (n.d.). Retrieved December 20, 2017.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.