Anti-Forensics
Clear Browser Artifacts
Clear Command History
Clear Operating System Logs
Delete User Account
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Log Tampering
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Use of a Virtual Machine
- ID: AF002.001
- Created: 25th May 2024
- Updated: 09th June 2024
- Platform: Windows
- Contributor: The ITM Team
Clear Windows Event Logs
A subject clears Windows Event logs to conceal evidence of their activities.
Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events.
The logs are stored in C:/WINDOWS/system32/config
.
Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges.
Prevention
ID | Name | Description |
---|---|---|
PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |
Detection
ID | Name | Description |
---|---|---|
DT055 | PowerShell Logging | Detailed PowerShell logging is not enabled by default and must be configured. PowerShell is able to record the processing of commands, script blocks, functions, and scripts whether invoked interactively, or through automation. These can be reviewed as Windows Event logs to the PowerShellCore/Operational log as Event ID 4104. |
DT014 | Utilize Cold Storage for Logs | By autonomously collecting log files from a system and transporting them to another system, such as a SIEM collector, they are typically no longer accessible by the subject, preventing them from being able to delete them. These can aid in investigations where a subject has deleted local logs. |
DT003 | Windows File Deleted, Event Logs | Windows Event Log ID 4660 “An object was deleted” is generated when an object was deleted, such as a file system, kernel, or registry object. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL). This event doesn’t contain the name of the deleted object, so investigators must also utilize Event ID 4663. Windows Event Log ID 4663 “An attempt was made to access an object” can be used in combination with Event ID 4660 to track object deletion. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL). This may represent an anti-forensics technique if there is no reasonable explanation for why the objected was deleted from the system. |
DT004 | Windows System Logging was Cleared | Windows Event Log ID 1102 “The audit log was cleared” is generated when the Windows Security audit log has been cleared. This Event contains the account's SID, name, and domain that cleared the log. This may represent an anti-forensics technique if there is no reasonable explanation for why the Event Log was cleared on this system. |