A known evasion method among malicious entities when compromising a system is removing Windows Event Logs. An attacker will carry this out to remove traces of their activity on the target system. There are various methods to accomplish this, including internal Windows binaries such ‘wevtutil’, stopping the Event Log service, and utilizing penetration testing tools (such as Mimikatz and Invoke-Phant0m).
- An attacker with access to the target system can remove event logs via ‘wevtutil’ or the GUI. This can be utilized to evade potential detection by forensic analysts.
- An attacker with access to the target system can stop the Windows Event Log service. The event log service should always be running unless it is scheduled to be stopped. This can be utilized to evade potential detection by forensic analysts.
- An attacker can use attack toolsets such as Mimikatz or ‘Invoke-Phant0m’ to clear event logs or stop threads from collecting logs. ‘Invoke-Phant0m’ can be captured in PowerShell logs.
The attacker must have access to the remote or local system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access on the victim machine.