Detections
- Home
- - Detections
- -DT004
- ID: DT004
- Created: 25th May 2024
- Updated: 25th May 2024
- Platform: Windows
- Contributor: The ITM Team
Windows System Logging was Cleared
Windows Event Log ID 1102 “The audit log was cleared” is generated when the Windows Security audit log has been cleared. This Event contains the account's SID, name, and domain that cleared the log.
This may represent an anti-forensics technique if there is no reasonable explanation for why the Event Log was cleared on this system.
Sections
ID | Name | Description |
---|---|---|
AF002 | Log Deletion | The subject deliberately deletes logs to eliminate records of their activity and hinder subsequent investigation. This may include host-based logs (e.g., Windows Event Logs, Linux audit logs), application logs (e.g., authentication or access records), or network-level logs (e.g., firewall or proxy logs).
Deletion may be selective by targeting specific time ranges, event types, or identifiers, or more broad by wiping entire log files or directories to prevent attribution or timeline reconstruction. |
AF002.001 | Clear Windows Event Logs | A subject clears Windows Event logs to conceal evidence of their activities. Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events. The logs are stored in Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges. |