Splunk Alert Details
Alert ID: SPLUNK-LOG-CLEAR-1070-7842 Alert Time: 2024-02-19 16:30:45 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Security Logs Cleared – Potential Cover-up” MITRE ATT&CK: T1070.001 – Indicator Removal: Clear Windows Event Logs
Alert Details:
Correlated Events:
Windows Event ID 1102 (Security Log Cleared):
Time: 16:25 EST
Host: SEC-SRV-045 (Security Server)
User: SYSTEM (via wevtutil)
Log: Security
Details: “The audit log was cleared”
Windows Event ID 104 (System Log Cleared):
Time: 16:25:30 EST
Host: SEC-SRV-045
Log: System
Details: System log cleared
Windows Event ID 33 (PowerShell Operational Log Cleared):
Time: 16:26 EST
Host: SEC-SRV-045
Log: Windows PowerShell
Details: PowerShell log cleared
Process Creation (Event ID 4688):
Time: 16:24 EST
Process: wevtutil.exe
Command: wevtutil cl Security & wevtutil cl System & wevtutil cl “Windows PowerShell”
Preceding Events (now cleared, recovered from forwarded logs):
16:20-16:23 – Multiple failed login attempts (RDP brute force)
16:23 – Successful login from 45.134.225[.]78
16:24 – wevtutil executed to clear logs
Detection Logic:
Multiple event logs cleared in quick succession
wevtutil executed by suspicious process
Preceding failed logins detected via forwarded logs
Pattern matches attacker covering tracks
Additional Context:
Host: Critical security server
Forwarded logs preserved in Splunk (not cleared)
Attacker unaware of centralized logging
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed log clearing events
2. Recover Cleared Logs
Check forwarded logs
Splunk (forwarded)
Full activity recovered from Splunk
3. Attacker Activity
Analyze recovered logs
Splunk Search
RDP brute force, successful login, log clearing
4. Immediate Action
Isolate compromised host
CrowdStrike
SEC-SRV-045 quarantined
5. Account Remediation
Reset affected user password
Azure AD, AD
Password reset; MFA enforced
6. Threat Hunting
Check for other cleared logs
Splunk
No other log clearing events
Jira Incident Report
Ticket: SOC-2024-099 Summary: T1070 – Attacker Clears Security Logs After RDP Brute Force Status: RESOLVED Resolution: MALICIOUS – Logs Recovered from Splunk Priority: P2 – MEDIUM Labels: T1070, indicator-removal, log-clearing, splunk, rdp-brute-force Components: Log-Management, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Security Logs Cleared – Potential Cover-up”.
Host: SEC-SRV-045 (Critical Security Server).
Time: 2024-02-19 16:30 EST.
Technique: MITRE ATT&CK T1070.001 – Indicator Removal: Clear Windows Event Logs.
2. Technical Analysis:
Attack Chain (Recovered from Splunk forwarded logs):
16:20:00 – First RDP connection attempt from 45.134.225[.]78 (user: admin)
16:20:15 – Failed login (wrong password)
16:20:30 – Second attempt (user: administrator)
16:20:45 – Failed
16:21:00 – Third attempt (user: sec_admin)
16:21:15 – Failed
16:21:30 – Fourth attempt (user: svc_monitor)
16:21:45 – Failed
16:22:00 – Fifth attempt (user: backup_admin)
16:22:15 – Failed
16:22:30 – Sixth attempt (user: jwilson)
16:23:00 – SUCCESS (password: Winter2024!)
16:23:30 – Attacker enumerates system
16:24:00 – wevtutil.exe executed
16:24-16:26 – Logs cleared
16:30 – Splunk alert triggers
Compromised Account:
Username: jwilson (standard user)
Password: Winter2024! (weak, reused)
Privileges: Remote Desktop Users group only
Attacker Actions Before Log Clearing:
Enumerated users and groups
Checked running processes
No data exfiltration attempted
Log Recovery:
Local logs cleared (Security, System, PowerShell)
Forwarded logs preserved in Splunk
Complete attack timeline recovered
3. Investigation Findings:
Timeline:
16:20-16:23 – Brute force attempts
16:23 – Successful login
16:24 – Log clearing
16:30 – Alert triggers
16:32 – SOC investigates
16:35 – Host isolated
16:36 – jwilson account disabled
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 45.134.225[.]78
Account:
– jwilson (compromised)
Commands:
– wevtutil cl Security
– wevtutil cl System
– wevtutil cl “Windows PowerShell”
4. Containment Actions:
Immediate Actions:
Isolated compromised host.
Disabled jwilson account.
Blocked attacker IP at firewall.
Terminated any active sessions.
Account Remediation:
Reset jwilson password.
Enforced MFA.
Removed from Remote Desktop Users group (unnecessary).
Host Remediation:
Full scan (no malware found).
Verified no persistence installed.
No reimage needed.
5. Root Cause Analysis:
Primary Cause: Weak password on user account (Winter2024!).
Contributing Factors:
Password policy allowed weak passwords.
RDP exposed to internet (should be VPN only).
User had unnecessary RDP access.
6. Business Impact:
Operational Impact: Security server offline for 1 hour.
Data Exposure: None (attacker interrupted).
Forensic Value: Logs preserved via Splunk.
7. Remediation & Prevention:
Completed Actions:
Host secured.
Account remediated.
Attacker blocked.
Technical Controls Enhanced:
Enforced strong password policy.
Moved RDP behind VPN only.
Enhanced monitoring for log clearing events.
8. Conclusion:
An attacker performed RDP brute force, successfully logged in using a weak password, and attempted to cover tracks by clearing security logs. Splunk’s forwarded logs preserved the full attack timeline. The host was isolated, and the account secured before any data exfiltration.
Closure Rationale: Logs recovered; account secured; attacker blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 17:30 EST