Clearing audit logs from Domain Controller

%3CLINGO-SUB%20id%3D%22lingo-sub-768512%22%20slang%3D%22en-US%22%3EClearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768512%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClearing%20the%20event%20logs%20from%20the%20Domain%20Controller%20or%20workstation%20could%20be%20a%20sign%20of%20malicious%20behavior.%3C%2FP%3E%3CP%3EDoes%20Microsoft%20ATA%20currently%20alert%20on%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20488px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124118i05F11EB38EBAB166%2Fimage-dimensions%2F488x365%3Fv%3D1.0%22%20width%3D%22488%22%20height%3D%22365%22%20alt%3D%22event-1102.png%22%20title%3D%22event-1102.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768520%22%20slang%3D%22en-US%22%3ERe%3A%20Clearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380287%22%20target%3D%22_blank%22%3E%40huy_kha%3C%2FA%3E%26nbsp%3B%2C%20No%2C%20there%20is%20no%20detection%20for%20this.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%2C%20did%20we%20ever%20consider%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768903%22%20slang%3D%22en-US%22%3ERe%3A%20Clearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768903%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20consider%20adding%20it%20to%20ATA.%20You%20might%20add%20Event%201100%20to%20it%20as%20well.%3C%2FP%3E%3CP%3EThis%20event%20shows%20up%20when%20someone%20shuts%20down%20the%20event%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769064%22%20slang%3D%22en-US%22%3ERe%3A%20Clearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769064%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380287%22%20target%3D%22_blank%22%3E%40huy_kha%3C%2FA%3E%26nbsp%3B%2C%20we%20will%20look%20into%20it%2C%20currently%20are%20not%20planning%20at%20add%20such%20detection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771410%22%20slang%3D%22en-US%22%3ERe%3A%20Clearing%20audit%20logs%20from%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771410%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20this%20should%20be%20triggered%20from%20the%20SIEM.%20Especially%20if%20you're%20collecting%20logs%20from%20all%20servers%20in%20to%20the%20one%20source.%20AATP%2FATP%20would%20only%20trigger%20this%20from%20a%20DC%2C%20but%20your%20SIEM%20would%20trigger%20it%20from%20anywhere%20that%20is%20sending%20the%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hi there,

 

Clearing the event logs from the Domain Controller or workstation could be a sign of malicious behavior.

Does Microsoft ATA currently alert on this?

 

event-1102.png

4 Replies

@Deleted , No, there is no detection for this.

@Tali Ash , did we ever consider this?

@Eli Ofek 

If you consider adding it to ATA. You might add Event 1100 to it as well.

This event shows up when someone shuts down the event logs.

Thanks @Deleted , we will look into it, currently are not planning at add such detection.

 

Thanks,

Tali

I think this should be triggered from the SIEM. Especially if you're collecting logs from all servers in to the one source. AATP/ATP would only trigger this from a DC, but your SIEM would trigger it from anywhere that is sending the logs.