From fb92c697977d3448510e5fa50051f61fac6918bf Mon Sep 17 00:00:00 2001 From: Anabella Cristaldi <33020901+janniten@users.noreply.github.com> Date: Tue, 12 Jan 2021 01:17:20 +0100 Subject: [PATCH] [New Rule] Clearing Windows Security Logs (#529) * [New Rule] Clearing Windows Security Logs * Fix Date Format Error * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Add Elastic tag Co-authored-by: Justin Ibarra * update maturity * Add Elastic to list of authors Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...vasion_clearing_windows_security_logs.toml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/defense_evasion_clearing_windows_security_logs.toml diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml new file mode 100644 index 000000000..79e50dac8 --- /dev/null +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -0,0 +1,36 @@ +[metadata] +creation_date = "2020/11/12" +maturity = "production" +updated_date = "2021/01/11" + +[rule] +author = ["Elastic", "Anabella Cristaldi"] +description = """ +Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade +detection or destroy forensic evidence on a system. +""" +from = "now-9m" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Windows Event Logs Cleared" +risk_score = 21 +rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" +severity = "low" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +type = "query" + +query = ''' +event.action:("audit-log-cleared" or "Log clear") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal on Host" +reference = "https://attack.mitre.org/techniques/T1070/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"