sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Clear windows security event logs

Open woundride opened this issue 8 months ago • 5 comments

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

woundride avatar Apr 20 '25 22:04 woundride

Please check, It is already cover by https://github.com/SigmaHQ/sigma/blob/85fd5958bcccdf12984ab5cc9230fcaf2d42c1e0/rules/windows/builtin/security/win_security_audit_log_cleared.yml

frack113 avatar Apr 21 '25 15:04 frack113

Please check, It is already cover by https://github.com/SigmaHQ/sigma/blob/85fd5958bcccdf12984ab5cc9230fcaf2d42c1e0/rules/windows/builtin/security/win_security_audit_log_cleared.yml

Hi @frack113 , Thanks for your answer. Unfortunately this rule seems to have never worked for me, and after investigations, I think I've founded why : in my case (Windows 2K19), although clearing appear in Security.evtx, the service used is eventlog and not security :

image

woundride avatar Apr 21 '25 19:04 woundride

Can you give the xml version of the event that I can update the initial rule ? Thnaks

frack113 avatar Apr 22 '25 12:04 frack113

Hi @frack113 ,

Here a sample from my lab :

Nom du journal :Security Source : Microsoft-Windows-Eventlog Date : 22/04/2025 23:33:14 ID de l’événement :1102 Catégorie de la tâche :Effacement de journal Niveau : Information Mots clés : Succès de l’audit Utilisateur : N/A Ordinateur : W2019-DC01.woundride.local Description : Le journal d’audit a été effacé. Objet : ID de sécurité : WOUNDRIDE\admin_t0_cbr Nom de compte : admin_t0_cbr Nom de domaine : WOUNDRIDE ID de connexion : 0x37031 XML de l’événement :

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
    <EventID>1102</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>104</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4020000000000000</Keywords>
    <TimeCreated SystemTime="2025-04-22T21:33:14.288562400Z" />
    <EventRecordID>23187</EventRecordID>
    <Correlation />
    <Execution ProcessID="1032" ThreadID="5408" />
    <Channel>Security</Channel>
    <Computer>W2019-DC01.woundride.local</Computer>
    <Security />
  </System>
  <UserData>
    <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
      <SubjectUserSid>S-1-5-21-3332904308-1614487934-3407257785-1121</SubjectUserSid>
      <SubjectUserName>admin_t0_cbr</SubjectUserName>
      <SubjectDomainName>WOUNDRIDE</SubjectDomainName>
      <SubjectLogonId>0x37031</SubjectLogonId>
    </LogFileCleared>
  </UserData>
</Event>

woundride avatar Apr 22 '25 21:04 woundride

THe GUI information are for humain, in the xml you can see that Provider Name="Microsoft-Windows-Eventlog" like the orignal rule. The logsource service: security match Channel:Security From the xml , this event macth the rule. I don't use chainsaw , you can test the evtx with Zircolite or hayabusa

frack113 avatar Apr 23 '25 04:04 frack113