πŸ€” How Do I Check For Logs Clearing?

Created: 24.06.2023

Windows

❗️These techniques require admin or higher privileges. ❗️Common with ransomware

When the Security trail is deleted, 1102 is usually created afterwards. When all other trails are deleted, 104 EID is generated in the System trail.

Event logs are NOT designed to be deleted selectively, all or none. However, some tools are capable of circumventing this and can actually partially clear the logs.

  1. πŸ› οΈ Mimikatz - πŸ“• event::drop can stop the event log process from writing Security events. It can’t restart it through, so, obvious.
  2. πŸ› οΈ DanderSprite - (leaked by ShadowBrokers) change the pointers to the next events in the headers. So, the events are not deleted but are not visible either. Deep dive forensics to help here.
  3. πŸ› οΈ Invoke-Phant0m - kill the threads of event logs.

One can also suspend the event log process or make changes in RAM. However, all of these actions require πŸ‘‘.

References

Expand… Something here