Log Tampering Detection

Log Tampering Detection

NotesLearn how to effectively investigate, contain and remediate this incident by following our Response Playbook.

System event logs serve as the fundamental digital footprints of all activity on a device, recording everything from routine logins to unauthorized privilege escalations and data access. Because they provide an exact forensic trail of a breach, they are often the first line of defense targeted by adversaries attempting to operate undetected within your network.

A Log Tampering incident is a critical alert signaling that a threat actor has intentionally manipulated these essential logs on one of your organization's endpoints.

NotesThis incident is only detected on endpoints that have the Lumu Windows Agent or Windows Server Agent installed.

Lumu detect three methods of manipulation attackers generally rely on to maintain their stealth and disrupt your visibility:

  • Clear system logs: Wiping the entire event log to eradicate recent historical data, effectively blinding forensic investigators and leaving no trail behind.
  • Stop system logs: Halting or disabling the background services responsible for writing logs right before executing malicious actions, preventing any record from being generated in the first place.
  • Modify system logs: Surgically altering specific log entries to remove only the traces of their attack, leaving the rest of the file intact to avoid raising immediate suspicion.

Log tampering is rarely an isolated event; it acts as a high-confidence indicator that a broader, more damaging attack is underway within your organization. Adversaries manipulate these records to either proactively prepare for a major objective (such as deploying ransomware or exfiltrating data) without being recorded, or to cover their tracks after a successful breach to erase their digital footprints and maintain their presence within your network.

This document outlines how the Lumu Portal delivers valuable insight into the detection of this attack by providing the necessary context to support the decision-making of your organization's response team.

Collected Data

The Lumu Portal captures specific metadata and endpoint context to facilitate forensic analysis and determine the root cause of the incident. The data collected includes:

  • Method Used: Identifies exactly how the logs were manipulated (e.g., Event Log Service Shutdown, Clear, Modify).
  • Channel Affected: The specific event log channel targeted (e.g., Security).
  • Logged User: The identity of the user active during the tampering event.
  • Endpoint details: The specific hostname and IP address of the affected device.
  • Context Data: A comprehensive snapshot of the system's state at the time of the incident, capturing users, network activity, file system changes, running processes, and registry modifications.

Incident Details

The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:


1. Summary: This section provides the timeline and operational metrics of the incident. Including the Creation Date, First Event, and Last Event to establish the exact window of the malicious activity.

2. Endpoint Alerts: This section provides a detailed view of each log tampering event detected on the endpoint. Since log tampering typically occurs in the middle of a broader attack chain to conceal evidence of other operations, this detailed view is essential to effectively triage the event and piece together the attacker's primary objective. It includes:

  • Alert Details: Shows the exact timestamp, Method Used (e.g., Event Log Service Shutdown), Channel Affected, Logged User, Endpoint, and Endpoint IP to help analysts identify which specific machine is compromised, which user account was hijacked to perform the action, and the exact tool or method (such as built-in Windows utilities like wevtutil cl Security) used to bypass detection.
  • Context Data Snapshot: Expanding the context reveals a deep-dive forensic snapshot of the system at the exact moment the logs were tampered with. Even if the primary event logs are wiped or disabled, analysts still have a record of the system's state to determine the root cause. On this section, you can find the following:
    • User Context: Tracks account behavior and administrative privileges. Analysts use this to correlate user activity with potential security incidents and identify if an account requires immediate credential rotation.
    • Network Activity Context: Displays all active network connections (excluding loopback), showing the source port, destination, and the linked process. This allows analysts to identify suspicious network activity, such as active connections to known Command and Control (C2) infrastructure or unauthorized RDP sessions occurring right before the tampering.
    • File System Context: Monitors critical directories (Downloads, Temp, AppData, ProgramData) for recently created executables and scripts, calculating their SHA256 hashes. Analysts use this to locate dropped malware payloads or the specific malicious scripts responsible for clearing the logs.
    • Process Activity Context: Identifies enabled scheduled tasks containing suspicious commands. Because attackers who clear logs often intend to maintain long-term access, this metric can be used to quickly audit the system for hidden persistence mechanisms.
    • Registry Activity Context: Monitors commands (like auditpol.exe) that modify Windows audit policies. This will help you understand exactly how the attacker impaired the system's defensive capabilities to disable security auditing.

Incident data export

While the Lumu Portal displays the most critical data points—such as the top attacking sources and target users—complex attacks often involve volumes of traffic that exceed what can be efficiently displayed on a single screen. For that reason, the Lumu allows in-depth investigations with its Export Feature. It allows analysts to move beyond the high-level summary and access the complete forensic dataset of the incident.

You can export data using the download button located at the top of the page (1) or using the button below the Summary section (2).

Exportable data

You can export the following data for this incident:

  • All log tampering events
    Generates a JSONL file with the information of every Log Tampering event recorded in the incident.
  • Single event context
    Generate a JSONL file with the context information of a single Log tampering event recorded within an incident.
  • Specific context data
    Generate a JSONL file with the specific context information of a single Log tampering event recorded within an incident. You can select from the:
    • User Context
    • Network Activity Context
    • File System Context
    • Process Activity Context
    • Registry Activity Context

      Get an AI Summary

          • Related Articles

          • Log Tampering Response Playbook

            Log Tampering Incident Response Playbook This incident is only detected on endpoints that have Lumu’s Windows Agent or Windows Server Agent installed. Learn more information about Lumu Agents in our documentation. The Lumu Log Tampering Incident ...
          • Login Brute force Incident Response Playbook

            The Lumu Login Brute force Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life ...
          • DNS Tunneling Detection

            Learn how to effectively investigate, contain and remediate this incident by following our Response Playbook. Threat actors continuously seek ways to bypass perimeter defenses, and the Domain Name System (DNS) provides the perfect camouflage. Because ...
          • Data Exfiltration Detection

            Login Bruteforce incidents are patterns of high-volume, repetitive authentication failures targeting an organization's identity infrastructure. Unlike network-level attacks, these incidents directly target the Active Directory of your organization, ...
          • Login Brute Force Detection

            Login Bruteforce incidents are patterns of high-volume, repetitive authentication failures targeting an organization's identity infrastructure. Unlike network-level attacks, these incidents directly target the Active Directory of your organization, ...