Event ID 104: Log was cleared (System) (System)

Cosa registra davvero questo Event ID su disco, i campi EventData da leggere per primi e dove si colloca in un workflow di triage DFIR.

Canale: System
Provider: Windows\System
Note di triage: Service Control Manager's counterpart to Security 1102. Often missed by attackers who only clear Security.

Microsoft Learn

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/wineventApri la documentazione ufficiale ↗