T1070.001SubTechniquedefense-evasionagent-callable

T1070.001Clear Windows Event Logs

Sub-technique of T1070

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. The event logs can be cleared with the following utility commands: * <code>wevtutil cl system</code> * <code>wevtutil cl application</code> * <code>wevtutil cl security</code> These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1070/001
  2. https://ptylu.github.io/content/report/report.html?report=25
  3. https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog
  4. https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx
  5. https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1070.001: Clear Windows Event Logs | SQUR Knowledge Base