Skip to content

T1562.002 Impair Defenses DisableWindowsLoggingonEventID

T1562.002 - Impair Defenses: Disable Windows Logging on EventID

DESCRIPTION

Checks for event id 1102 and 104 which indicates the security event log was cleared

Example:

N/A

Related

Log clearing

Reference:

https://www.microsoft.com/en-us/security/blog/2020/04/01/microsoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do
https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/builtin/security/win_security_event_log_cleared.yml#L4
https://lantern.splunk.com/Splunk_Platform/UCE/Security/Threat_Hunting/Detecting_a_ransomware_attack/Windows_event_log_cleared

ATT&CK TACTICS

T1562.002 - Impair Defenses: Disable Windows Event Logging

Data Source(s): Active Directory

SENTINEL RULE QUERY

let c1 = dynamic(['1102','104']); union isfuzzy=true (SecurityEvent | where EventSourceName =~ "Microsoft-Windows-Eventlog" and EventID in (c1)), (WindowsEvent | where Provider =~ "Microsoft-Windows-Eventlog" and EventID in (c1)), (Event | where EventLog =~ "Microsoft-Windows-Eventlog" and EventID in (c1))

Triage

  1. Inspect if the activity is expected and approved.

FalsePositive

  1. Legitimate administrative activity

VERSION

Version 1.0 (date: 10/10/2023)