Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Attackers often remove log files to evade detection. On a default Windows configuration, an attacker can easily remove event logs with system or attack tools. But an attacker needs network access and appropriate privileges to delete log files from a victim server remotely. This activity can lead to the loss of important data for network defense.
The system might change the risk score for this detection.
Kill Chain
Risk Score
65
The event logging service is a logging system on Microsoft Windows devices that records important system and application events such as logins, errors, security alerts, and service stops and starts. The event log might contain indicators of malicious activity. After an attacker completes the objective, they might attempt to delete the event logs to avoid detection and eliminate evidence. One approach for remotely deleting log files is to send Microsoft remote procedure call (MS-RPC) requests to the eventlog or EventLogRemoting interface on the victim device.
Restrict permissions on log files to prevent unauthorized access or tampering
Store a backup of critical logs remotely to allow recovery of manipulated or destroyed data
Limit the number of privileged users in your environment
