F037MEDIUMConfirmed maliciousvalidator: passed
Event log clear or audit log manipulation detected (TA0005: Defense Evasion, TA0006: Credential Access)
EventID 1102
Analyst narrative
Security event log EventID 1102 (Log Cleared) recorded in anti-forensic pattern, indicating attacker attempt to remove evidence. Correlated with high-risk persistence and explicit credential logon events (EventID 4648) from SYSTEM account.
Claims asserted
event_logEventID 1102 - Log Clearedparse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs