Indicator Removal: Clear Windows Event Logs
Created the Saturday 23 March 2019. Updated 1 year, 2 months ago.
Event logging is a process that records important software and hardware events from various sources and stores them in a centralized location called an event log. This service is commonly used by applications and operating systems to track and troubleshoot issues, and can be a valuable tool for forensic investigations.
Event logs can provide valuable information about the actions taken by an attacker during a security breach, including the time and date of the attack, the source of the attack, and any changes made to the system. However, attackers may attempt to delete or clear event logs to conceal their actions and evade detection.
Forensic investigators can look for signs of event log tampering by checking for the presence of event clear ID 1102, which indicates that the audit log has been cleared. This can be an indication that an attacker has attempted to cover their tracks.
Code Snippets
Detection Rules
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.
- https://0x00sec.org/t/anti-forensic-and-file-less-malware/10008#221-disabling-event-logging
- Indicator Removal on Host: Clear Windows Event Logs, Sub-technique T1070.001 - Enterprise | MITRE ATT&CK®
- 1102(S) The audit log was cleared. (Windows 10) | Microsoft Learn