Video “Incident Response Process - CompTIA Security+ SY0-501 - 5.4”
The Incident Response Life Cycle is comprised of:
Use logs for finding baselines and also to find indicators (for example, of compromise).
Detection methods have different levels of detail or perception. The question is how to find a legitimate threat.
DFIR summit presentation “The Audit Log Was Cleared - SANS Digital Forensics and Incident Response Summit 2017”
How to mitigate - have logs be forwarded in SIEM, look for gaps and stoppage. SIEM is not just log collector but something that can base rules around
Check registry and look for timestamps ie use Volatility to dump memory services https://youtu.be/7JIftAw8wQY?t=1719
Attacker technique - EventLog editing with Mimikatz https://youtu.be/7JIftAw8wQY?t=1754
When ‘event clear’ event was done, run mimikatz event drop. What it does is it patches the event log service and prevents service from writing event logs. Now you can clear the event log message of the event log being cleared entry aka no evidence of it being cleared.
If you are doing event log clearing and no alerts then it does not work.
Thread disruption via Invoke-Phant0m - https://youtu.be/7JIftAw8wQY?t=2029 Attempt using in the wild
Logs are powerful. We tend to take event logs at face value, they don’t think to themselves about trusting the user or eventID. You know that a system has been compromised but you know that the system logs belong to the user and have ability to mess around artifacts etc.
Tracking attacks against integrity of event logs is important. Have evidence of threat actors clearing event logs from basic to complicated. To manipulate trace they were there in first place.
Another mitigation is to correlate what happens at the disk at the time. Look at other artefacts before/after event. Look at SIEM and see what has been forwarded. There are many great tools - ie recover Event Logs from memory and from disk. These areas are covered very well.