Windows
βοΈThese techniques require admin or higher privileges. βοΈCommon with ransomware
When the Security trail is deleted, 1102 is usually created afterwards. When all other trails are deleted, 104 EID is generated in the System trail.
Event logs are NOT designed to be deleted selectively, all or none. However, some tools are capable of circumventing this and can actually partially clear the logs.
- π οΈ
Mimikatz- πevent::dropcan stop the event log process from writingSecurityevents. It can’t restart it through, so, obvious. - π οΈ
DanderSprite- (leaked byShadowBrokers) change the pointers to the next events in the headers. So, the events are not deleted but are not visible either. Deep dive forensics to help here. - π οΈ
Invoke-Phant0m- kill the threads of event logs.
One can also suspend the event log process or make changes in RAM. However, all of these actions require π.