Clearing audit logs from Domain Controller

%3CLINGO-SUB%20id%3D%22lingo-sub-768512%22%20slang%3D%22en-US%22%3EClearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768512%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClearing%20the%20event%20logs%20from%20the%20Domain%20Controller%20or%20workstation%20could%20be%20a%20sign%20of%20malicious%20behavior.%3C%2FP%3E%3CP%3EDoes%20Microsoft%20ATA%20currently%20alert%20on%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20488px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124118i05F11EB38EBAB166%2Fimage-dimensions%2F488x365%3Fv%3D1.0%22%20width%3D%22488%22%20height%3D%22365%22%20alt%3D%22event-1102.png%22%20title%3D%22event-1102.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768520%22%20slang%3D%22en-US%22%3ERe%3A%20Clearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380287%22%20target%3D%22_blank%22%3E%40huy_kha%3C%2FA%3E%26nbsp%3B%2C%20No%2C%20there%20is%20no%20detection%20for%20this.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%2C%20did%20we%20ever%20consider%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768903%22%20slang%3D%22en-US%22%3ERe%3A%20Clearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768903%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20consider%20adding%20it%20to%20ATA.%20You%20might%20add%20Event%201100%20to%20it%20as%20well.%3C%2FP%3E%3CP%3EThis%20event%20shows%20up%20when%20someone%20shuts%20down%20the%20event%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769064%22%20slang%3D%22en-US%22%3ERe%3A%20Clearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769064%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380287%22%20target%3D%22_blank%22%3E%40huy_kha%3C%2FA%3E%26nbsp%3B%2C%20we%20will%20look%20into%20it%2C%20currently%20are%20not%20planning%20at%20add%20such%20detection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771410%22%20slang%3D%22en-US%22%3ERe%3A%20Clearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771410%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20this%20should%20be%20triggered%20from%20the%20SIEM.%20Especially%20if%20you're%20collecting%20logs%20from%20all%20servers%20in%20to%20the%20one%20source.%20AATP%2FATP%20would%20only%20trigger%20this%20from%20a%20DC%2C%20but%20your%20SIEM%20would%20trigger%20it%20from%20anywhere%20that%20is%20sending%20the%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Hi there,

 

Clearing the event logs from the Domain Controller or workstation could be a sign of malicious behavior.

Does Microsoft ATA currently alert on this?

 

event-1102.png

4 Replies
Highlighted

@Deleted , No, there is no detection for this.

@Tali Ash , did we ever consider this?

Highlighted

@Eli Ofek 

If you consider adding it to ATA. You might add Event 1100 to it as well.

This event shows up when someone shuts down the event logs.

Highlighted

Thanks @Deleted , we will look into it, currently are not planning at add such detection.

 

Thanks,

Tali

Highlighted

I think this should be triggered from the SIEM. Especially if you're collecting logs from all servers in to the one source. AATP/ATP would only trigger this from a DC, but your SIEM would trigger it from anywhere that is sending the logs.