ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: AF002.001
  • Created: 25th May 2024
  • Updated: 09th June 2024
  • Platform: Windows
  • Contributor: The ITM Team

Clear Windows Event Logs

A subject clears Windows Event logs to conceal evidence of their activities.

Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events.

The logs are stored in C:/WINDOWS/system32/config.

Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges.

Prevention

ID Name Description
PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT055PowerShell Logging

Detailed PowerShell logging is not enabled by default and must be configured.

PowerShell is able to record the processing of commands, script blocks, functions, and scripts whether invoked interactively, or through automation. These can be reviewed as Windows Event logs to the PowerShellCore/Operational log as Event ID 4104.

DT014Utilize Cold Storage for Logs

By autonomously collecting log files from a system and transporting them to another system, such as a SIEM collector, they are typically no longer accessible by the subject, preventing them from being able to delete them. These can aid in investigations where a subject has deleted local logs.

DT003Windows File Deleted, Event Logs

Windows Event Log ID 4660 “An object was deleted” is generated when an object was deleted, such as a file system, kernel, or registry object. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL). This event doesn’t contain the name of the deleted object, so investigators must also utilize Event ID 4663.

Windows Event Log ID 4663 “An attempt was made to access an object” can be used in combination with Event ID 4660 to track object deletion. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL).

This may represent an anti-forensics technique if there is no reasonable explanation for why the objected was deleted from the system.

DT004Windows System Logging was Cleared

Windows Event Log ID 1102 “The audit log was cleared” is generated when the Windows Security audit log has been cleared. This Event contains the account's SID, name, and domain that cleared the log.

This may represent an anti-forensics technique if there is no reasonable explanation for why the Event Log was cleared on this system.