Splunk Alert Details
Alert ID: SPLUNK-DISABLE-LOGGING-1562-7842 Alert Time: 2024-03-08 09:30:15 EST Severity: CRITICAL (95/100) Source: Splunk Enterprise Security Rule: “Windows Event Logging Disabled – Defense Evasion” MITRE ATT&CK: T1562.002 – Impair Defenses: Disable Windows Event Logging
Alert Details:
Correlated Events:
Windows Event ID 1102 (Security Log Cleared) – Not present because logging disabled first
Event ID 104 (System Log Cleared) – Not present
Event ID 4719 (Audit Policy Change):
Time: 09:20:22 EST
Host: DC-01 (Domain Controller)
User: SYSTEM (via script)
Changes: “Audit Policy Change: Success Removed, Failure Removed” for multiple categories
Event ID 4904 (Audit Log Removed):
Time: 09:21:15 EST
Host: DC-01
Description: “An attempt to remove the audit log was made.”
Process Creation (Event ID 4688):
Time: 09:18:45 EST
Process: wevtutil.exe
Command: wevtutil set-log Security /enabled:false /retention:false /maxsize:1
Command: wevtutil set-log System /enabled:false
Command: wevtutil set-log Application /enabled:false
Command: wevtutil set-log “Windows PowerShell” /enabled:false
Additional Commands:
09:19:10 – auditpol /set /subcategory:”Security State Change” /success:disable /failure:disable
09:19:30 – auditpol /set /subcategory:”Other System Events” /success:disable /failure:disable
09:19:50 – auditpol /set /subcategory:”Logon” /success:disable /failure:disable
Detection Logic:
Event logs disabled via wevtutil (critical defense evasion)
Audit policies disabled via auditpol
No subsequent log events from the host (logging off)
Pattern matches attacker preparing to operate without detection
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed event logging disabled on DC-01
2. Process Investigation
Identify source of commands
CrowdStrike Falcon
PsExec from compromised admin workstation
3. Immediate Action
Isolate DC-01
CrowdStrike, Network ACLs
DC-01 quarantined
4. Re-enable Logging
Enable event logs and audit policies
wevtutil, auditpol
All logs re-enabled
5. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
6. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
Jira Incident Report
Ticket: SOC-2024-186 Summary: T1562.002 – Windows Event Logging Disabled on Domain Controller Status: RESOLVED Resolution: MALICIOUS – Logging Restored Priority: P1 – CRITICAL Labels: T1562, disable-logging, wevtutil, auditpol, domain-controller Components: Log-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Windows Event Logging Disabled – Defense Evasion”.
Host: DC-01 (Primary Domain Controller).
Actions: Security, System, Application, PowerShell logs disabled; audit policies disabled.
Time: 2024-03-08 09:30 EST.
Technique: MITRE ATT&CK T1562.002 – Impair Defenses: Disable Windows Event Logging.
2. Technical Analysis:
Attack Chain:
08:30 – Admin account (bjones) compromised via phishing
08:45 – Attacker logs into admin workstation via RDP
09:00 – Attacker uses PsExec to push commands to DC-01
09:18-09:21 – Event logging disabled
09:21 – No further logs generated
09:30 – Splunk alert (based on audit policy changes and process creation)
Logging Disabled:
wevtutil commands: Disabled Security, System, Application, PowerShell logs
auditpol commands: Disabled auditing for critical categories (Logon, Security State Change, etc.)
Result: No events recorded after 09:21
Attacker Intent:
Operate without leaving traces
Prepare for ransomware or data theft
Prevent detection of further actions
Compromised Admin:
bjones (Domain Admin)
No MFA (now enforced)
3. Investigation Findings:
Timeline:
08:30 – Admin account compromised
08:45 – Attacker logs in
09:00 – PsExec to DC
09:18-09:21 – Logging disabled
09:30 – Alert
09:32 – SOC investigates
09:33 – DC isolated
09:34 – Logging re-enabled
Indicators of Compromise (IoCs):
Commands:
– wevtutil set-log Security /enabled:false
– wevtutil set-log System /enabled:false
– wevtutil set-log Application /enabled:false
– wevtutil set-log “Windows PowerShell” /enabled:false
– auditpol /set /subcategory:”Logon” /success:disable /failure:disable
– (similar for other subcategories)
Account:
– bjones (compromised)
4. Containment Actions:
Immediate Actions:
Isolated DC-01.
Re-enabled all event logs via wevtutil.
Re-enabled audit policies via auditpol.
Restarted Windows Event Log service.
Disabled bjones account.
Reset password.
Blocked attacker IP.
Verification:
Confirmed logs are being written again.
Reviewed available logs for attacker activity (none after disable).
Host Remediation:
Full scan (clean).
Verified no persistence.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to DC.
6. Business Impact:
Operational Impact: DC offline for 15 minutes.
Forensic Impact: Gap in logs from 09:21 to 09:34 (13 minutes).
7. Remediation & Prevention:
Completed Actions:
Logging restored.
Account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Created alert for wevtutil and auditpol usage.
Enabled advanced audit policies to log changes to logging settings.
8. Conclusion:
An attacker compromised a domain admin account and disabled event logging and audit policies on the domain controller, creating a blind spot. Splunk detected the configuration changes and enabled rapid restoration, limiting the logging gap to 13 minutes.
Closure Rationale: Logging restored; account secured; attacker blocked.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 10:30 EST