Learn how to effectively investigate, contain and remediate this incident by following our Response Playbook.
System event logs serve as the fundamental digital footprints of all activity on a device, recording everything from routine logins to unauthorized privilege escalations and data access. Because they provide an exact forensic trail of a breach, they are often the first line of defense targeted by adversaries attempting to operate undetected within your network.
A Log Tampering incident is a critical alert signaling that a threat actor has intentionally manipulated these essential logs on one of your organization's endpoints.
This incident is only detected on endpoints that have the Lumu Windows Agent or Windows Server Agent installed.
Lumu detect three methods of manipulation attackers generally rely on to maintain their stealth and disrupt your visibility:
Log tampering is rarely an isolated event; it acts as a high-confidence indicator that a broader, more damaging attack is underway within your organization. Adversaries manipulate these records to either proactively prepare for a major objective (such as deploying ransomware or exfiltrating data) without being recorded, or to cover their tracks after a successful breach to erase their digital footprints and maintain their presence within your network.
This document outlines how the Lumu Portal delivers valuable insight into the detection of this attack by providing the necessary context to support the decision-making of your organization's response team.
The Lumu Portal captures specific metadata and endpoint context to facilitate forensic analysis and determine the root cause of the incident. The data collected includes:
The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:
1. Summary: This section provides the timeline and operational metrics of the incident. Including the Creation Date, First Event, and Last Event to establish the exact window of the malicious activity.
2. Endpoint Alerts: This section provides a detailed view of each log tampering event detected on the endpoint. Since log tampering typically occurs in the middle of a broader attack chain to conceal evidence of other operations, this detailed view is essential to effectively triage the event and piece together the attacker's primary objective. It includes:
wevtutil cl Security) used to bypass detection.auditpol.exe) that modify Windows audit policies. This will help you understand exactly how the attacker impaired the system's defensive capabilities to disable security auditing.While the Lumu Portal displays the most critical data points—such as the top attacking sources and target users—complex attacks often involve volumes of traffic that exceed what can be efficiently displayed on a single screen. For that reason, the Lumu allows in-depth investigations with its Export Feature. It allows analysts to move beyond the high-level summary and access the complete forensic dataset of the incident.
You can export data using the download button located at the top of the page (1) or using the button below the Summary section (2).
You can export the following data for this incident: