Event ID 104 — The LogFileCleared.Channel log file was cleared.
Description
The LogFileCleared.Channel log file was cleared.
Message #
Fields #
| Name | Description |
|---|---|
LogFileCleared.SubjectUserName | — |
LogFileCleared.SubjectDomainName | — |
LogFileCleared.Channel | — |
LogFileCleared.BackupPath | — |
LogFileCleared.ClientProcessId | — |
LogFileCleared.ClientProcessStartKey | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": 104,
"version": 1,
"level": 4,
"task": 104,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T22:53:10.300656+00:00",
"event_record_id": 1453,
"correlation": {},
"execution": {
"process_id": 1796,
"thread_id": 2028
},
"channel": "System",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"user_data": {
"LogFileCleared": {
"SubjectUserName": "Administrator",
"SubjectDomainName": "WINDEVEVAL",
"Channel": "Application",
"BackupPath": null,
"ClientProcessId": 4544,
"ClientProcessStartKey": 2533274790396090
}
},
"message": ""
}
Detection Patterns #
Defense Evasion: Clear Windows Event Logs
Defense Evasion: Clear Windows Event Logs
Community Notes #
This will show System, Application, and other non-Security logs being cleared. Review the event to identify which one.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Eventlog Cleared source medium: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
- Important Windows Eventlog Cleared source high: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx