Skip to main content
Splunk Lantern

Windows event log cleared

This search looks for Windows events that indicate Windows event logs have been purged. This action is typically used in ransomware attacks by attackers to cover up evidence of malicious activity. Several Windows events are targeted in this search - event code 1100, which indicates an event log service shutdown, as well as codes 104 or 1102, which indicate that the event log was cleared.

Data required 

Windows event logs

Procedure

  1. Ensure your deployment is ingesting Windows event logs from your hosts.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| search ((EventCode=104 eventtype=wineventlog_system) OR (eventtype=wineventlog_security (EventCode=1100 OR EventCode=1102))) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY EventCode dest 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| search ((EventCode=104 eventtype=wineventlog_system) OR (eventtype=wineventlog_security (EventCode=1100 OR EventCode=1102)))  Search Windows event logs for event code codes 104 or 1102, which indicate that the event log was cleared, or event code 1100, which indicates an event log service shutdown.
| stats count min(_time) AS firstTime max(_time) AS lastTime BY EventCode dest  Return the values for the fields shown, sorting first by event code, then by destination.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 
Convert these times into readable strings.

Next steps

False positives from this search may occur because administrators can clear event logs for legitimate reasons.

If you find evidence of a ransomware infection from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.