Link Search Menu Expand Document

104 Event Log Clearing


Log Name : System
Event ID : 104
Description : The filename log file was cleared.

Table of contents

  1. Why
  2. Let’s talk Forensic
    1. Fields to be noted
  3. How to clear
  4. Summary

Why

This might be your IT Admin configured a scheduled event log clearing as per company policy but remember very low percentage of companies follow scheduled clearing. As windows have a built in feature for event logs to overwrite upon certain size limit, this limit can configured by default windows ships with 20MB of max file size for work stations and for servers it depends may go upto/above 4GB.

An individual would require atleast local admin priviliges to clear Event logs

Let’s talk Forensic

In forensics point of view preserving evidence is the most crucial part, but when Attackers starts clearing their tracks after succesful attack Event logs is the first thing they target.

Fields to be noted
  • Date&Time
  • Username
  • Computer
  • Description

When you encounter 104 eventid in system event log there are two possible senarios one might end up in. Pivoting (ruleing out options) is the key for a stress free analysis.

  1. Legit activity - Exclude below
    • Events Out of incident TimeFrame
    • Periodic clearing with long history (IT schedule clearing)
  2. Attacker clearing - Include below
    • Multiple log clearing at same time.
       The System log file was cleared. 
 The Security log file was cleared. 
 The Application log file was cleared.
    • If you encounter a event shown below your are analyzing an windows server (Exchange). This is usual activity unless you are dealing with an exchange compromise related attacks.
       The Microsoft Throttling log file was cleared.

we need the Date&Time, userSID and Computername of the clearing event to track lateral movment

  • User involved in this event can be considered as compromised user that attacker used.

How to clear

  1. Powershell
     Clear-EventLog "Windows PowerShell"
 Clear-EventLog -LogName application, system -confirm
  2. Wevutil
    wevtutil.exe cl Application
wevtutil.exe clear-log Application
  3. Metasploit
    wevtutil.exe cl Application
  4. Armitage
    wevtutil.exe cl Application
  5. Cobalt Strike
    wevtutil.exe cl Application
  6. Mimikatz
    mimikatz > EVENT::Clear
 # clears Event logs
mimikatz > EVENT:::Drop
 # Stops new events from writing to file (admin priviliges required)
  7. Invoke-Phant0m
    # kills all Event Log Service Threads, as system will not be able to collect logs.
> invoke-Phant0m

Summary

Huh…..this event is generated when all the records of a particular event log is cleared. To identify if this activity is malicious note down the Date&Time, UserSID, Computer fields from the event this helps in tracking lateral movement and check for other suspicious/malicious activity like (rdp logons, network logons, etc..) at same date&time by same userSID.