OK, I am dumbfounded on this one.
Our Security event logs are being cleared. This is a serious violation of out ITRM policy for obvious reasons. The event log states USER=system. Clearing always occurs at the top of the hour. This behavior is indicative of a script or EXE. All the obvious have been checked; GPO and scheduled tasks. We have checked the other logs, and nothing occurs around the same time. The SA team is thinking it is an application proc doing this, but I need definitive proof of the root cause.
Is there any other logs, or auditing that will show what proc, running under the system context, is clearing the security log? Or does anyone know of a free app that has more granular auditing.
I am hoping this community can help me before I open a case with MS
Thanks In Advance
Aaron
Greetings,
Sounds like you need to apply basic malware or intrusion response techniques. A quick start would be to monitor all running processes during the time period in question. See if any new processes appear, see what touches the event log, etc.
Some of the best free tools to get started with are the Microsoft sysinternals tools http//
-David
Whilst it may be the result of a scheduled job on the system; have you also checked the Security event log settings on the DC? - It could be possible that the event log max size is set too low & that it is set to clear events automatically when the log becomes full (overwrite events needed), but that wouldnt neccessarily account for the logs being cleared at the top of every hour every single time.
Just a thought.
The idea of checking other systems for indications of scheduled jobs is a good one…also check services on the victim system, as well as any process that may be launching a child process.
Have you tried analyzing a memory dump?
If this is occurring at the top of every hour, have you guys done any real close up testing and analysis? Memory dump. Remove the system from the network and see if it still happens. If not, connect it back to the network and monitor with a sniffer. If the logs do get cleared, at least you've narrowed it down.
Try installing a tool that converts logs to syslog, as they are generated. That way, at least you have them. Heck, it might even help if you have the syslog saved locally on the box…not that that's preferred but it would help.
I agree with David, I would monitor the system at the top of the hour using the task manager and have net stat -a running. It will show if you have an inbound network connections as well as determine if a process is causing the deletion.
On a side note, I know of an application called eraser that securely deletes files on a system on a schedule. It never gets entered into the scheduled tasks. I'd check for installed applications as well.
On the network side slap wireshark on the line and monitor for that IP address.
Oh and David, I sent you an email.
Those are great suggestions, but the problem is that they are being cleared at different times. I should have clarified, that clearing always occurs at the top of the hour, but not every hour. I have opened a Sev B case with MS. I will let you know if we find out what is going on here
APC