Windows Event Log Cleared

name: Windows Event Log Cleared
id: ad517544-aff9-4c96-bd99-d6eb43bfbb6a
version: 17
date: '2026-03-10'
author: Rico Valdez, Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the clearing of Windows event logs by identifying Windows Security Event ID 1102 or System log event 104. This detection leverages Windows event logs to monitor for log clearing activities. Such behavior is significant as it may indicate an attempt to cover tracks after malicious activities. If confirmed malicious, this action could hinder forensic investigations and allow attackers to persist undetected, making it crucial to investigate further and correlate with other alerts and data sources.
data_source:
    - Windows Event Log Security 1102
    - Windows Event Log System 104
search: |-
    (`wineventlog_security` EventCode=1102)
    OR
    (`wineventlog_system` EventCode=104)
    | stats count min(_time) as firstTime max(_time) as lastTime
      by action app change_type dest dvc name object_attrs object_category
         signature signature_id src_user status subject user
         vendor_product object EventCode
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_event_log_cleared_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.
known_false_positives: It is possible that these logs may be legitimately cleared by Administrators. Filter as needed.
references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102
    - https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads
    - https://attack.mitre.org/techniques/T1070/001/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Windows $object$ cleared on $dest$ via EventCode $EventCode$
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - ShrinkLocker
        - Windows Log Manipulation
        - Ransomware
        - CISA AA22-264A
        - Compromised Windows Host
        - Clop Ransomware
    asset_type: Endpoint
    mitre_attack_id:
        - T1070.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog