Home/ATT&CK Technique/Clear Windows Event Logs
ATT&CK Technique

Clear Windows Event Logs

T1070.001 · stealth

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

With administrator privileges, the event logs can be cleared with the following utility commands: wevtutil cl system wevtutil cl application * wevtutil cl security These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.

Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.

Windows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
north_koreaAndariel
unknown_likely_russia_alignedAnubis Ransomware
russiaAPT28
north_koreaAPT38
chinaAPT3
chinaAPT41
china_state_sponsored_mandiant_canonical_microsoft_mulberry_typhoonAPT5 (UNC2630 / UNC2717 / Mulberry Typhoon)
russia_speaking_cybercrimeBlack Basta
unknown_likely_russia_aligned_eldorado_lineageBlackLock Ransomware
unknown_likely_russia_alignedBrain Cipher
russiaCadet Blizzard

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution same
T1569.002 · Service Execution ×2.65T1059.008 · Network Device CLI ×2.62T1569 · System Services ×2.50
persistence same
T1078.001 · Default Accounts ×2.43
credential-access same
T1003.004 · LSA Secrets ×3.00T1003.006 · DCSync ×2.80T1558 · Steal or Forge Kerberos Tickets ×2.62T1003.003 · NTDS ×2.57
lateral-movement same
T1550.003 · Pass the Ticket ×2.62
collection same
T1530 · Data from Cloud Storage ×2.85T1074.002 · Remote Data Staging ×2.62
exfiltration same
T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol ×2.72T1030 · Data Transfer Size Limits ×2.50
impact same
T1489 · Service Stop ×2.81
other same
T1562.009 · Safe Mode Boot ×3.25

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) 2
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

2
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2016-04-002Moderate coverageUser Activity from Clearing Event Logs

It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 1. This is often done using wevtutil, a legitimate tool provided by Microsoft.

This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. 2. Alerting when a Clear Event Log is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks.

Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk. 3. Attackers may set the option of the sources of events with Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite to not delete old Evenlog when the .evtx is full.

By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104. 4.

Attackers may delete .evtx with del C:\Windows\System32\winevt\logs\Security.evtx or Remove-Item C:\Windows\System32\winevt\logs\Security.evtx after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset. 5.

Attackers may use the powershell command Remove-EventLog -LogName Security to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog.

However logs generated between the command and the reboot are still available in the .evtx file.

pseudocode - PseudoCode for dedicated EventID EventLog deletion
([log_name] == "Security" and [event_code] in [1100, 1102, 1104]) or
([log_name] == "System" and [event_code] == 104)
LogPoint - LogPoint version of the above pseudocode.
norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="System" event_id=104))
Splunk - Splunk search - Detecting log clearing with wevtutil
index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 (Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog)
CAR-2021-01-003Low coverageClearing Windows Logs with Wevtutil

In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.

Splunk - Splunk search - Detecting log clearing with wevtutil
index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*)

Caldera Emulation

1
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
defense-evasionwindowsClear Logs
Clear-Eventlog Security;
Clear-Eventlog System;

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, AC-16, AC-17, AC-18, AC-19, CA-07, CM-02, CM-06, CP-06, CP-07, CP-09, SC-04, SC-36, SI-03, SI-04, SI-07, SI-12, SI-23
D3FEND2 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin