Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
The event logs can be cleared with the following utility commands:
wevtutil cl system
wevtutil cl application
wevtutil cl security
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.
Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.
|M1041||Encrypt Sensitive Information||
Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|M1029||Remote Data Storage||
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
|M1022||Restrict File and Directory Permissions||
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
|ID||Data Source||Data Component|
|DS0009||Process||OS API Execution|