❗️These techniques require admin or higher privileges. ❗️Common with ransomware
Security trail is deleted,
1102 is usually created afterwards. When all other trails are deleted,
104 EID is generated in the
Event logs are NOT designed to be deleted selectively, all or none. However, some tools are capable of circumventing this and can actually partially clear the logs.
event::dropcan stop the event log process from writing
Securityevents. It can’t restart it through, so, obvious.
DanderSprite- (leaked by
ShadowBrokers) change the pointers to the next events in the headers. So, the events are not deleted but are not visible either. Deep dive forensics to help here.
Invoke-Phant0m- kill the threads of event logs.
One can also suspend the event log process or make changes in RAM. However, all of these actions require 👑.