The security event log and the audit policies that govern it are a target for hackers, malware, and rogue system administrators. This is because the ability to cause cessation of security logging (for all or specific events), or deleting security log record entries, allows unauthorized activity to go unnoticed and/or be untraceable.
Whenever the Security log is cleared, a Windows system will log a message, using Event ID 517 (Windows 2000) or Event ID 1102 (Windows 2008), regardless of the status of the Audit System Events audit policy. The Client User Name (Windows 2000) or Account Name (Windows 2008) fields will indicate the user who cleared the log.
Alert Logic Coverage
Detection of this threat is provided via the Alert Logic® ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Investigation
The customer should investigate this activity to see if there was a valid reason for the audit logs to be cleared by the user identified in the activity. If not, the system should be assumed to have been breached and a forensic analysis was undertaken.
- This type of activity is highly suspicious and should not be an appropriate activity, even for an administrator. Confirm that the user generating this log is authorized to do so.
- If the user is a non-administrator and unknown, then take steps to quarantine the source machine and begin forensic analysis of the machine contents.
- Confirm if related/connected machines show suspicious, out-of-the-ordinary activity, such as logins by this or any unknown users.