Is it possible for specific event logs to have been deleted?

Question

I'm analyzing several hacked machines on our network. On the original hacked machine, I've found event logs indicating a series of successful RDP connections to other machines, but when I go to those machines and check the RDP connection logs, I don't see any logs at all around that time period. I also don't see much in the security or application log except for DWM sessions starting.

I know that functionality to delete specific events from the log is not exposed, but do you know of any tools that can modify event log exports? I'm thinking maybe the log was backed up and cleared and then the backup was tampered with before restoring or something like that. Otherwise, I'm not sure how I could have logs on one machine but only have logs before and after on the others.

Thanks.

Answer 1

As far as I know, there is no way to delete/alter individual events from an event log (Application, System, Security, etc.) under Windows. The "most" you can do is delete them, but even that would generate an event in the case where the Security log is cleared (Event ID 1102).

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102

Apparently, Shadow Brokers released a tool called EventLogEdit that allows to edit events on the fly, even when the system is running.

https://threatpost.com/shadowbrokers-selling-windows-exploits-attack-tools/123027/

Though I have yet to read about it being used in any attacks so far.

Answer 2

On Unix systems, the logs are just text files. Generally only specific processes/daemons have the ability to edit them, but a user with sudo access can do it too. Just process it like any other text file.

On Windows, it is again a similar story - in a nutshell, someone with admin rights can tamper the system. Although for Windows they will need specific tools like WinZapper. See this security.se question for a good discussion on this topic.