T1070.001.md

T1070.001 - Clear Windows Event Logs

Description from ATT&CK

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

The event logs can be cleared with the following utility commands:

• wevtutil cl system
• wevtutil cl application
• wevtutil cl security

These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.

Atomic Tests

• Atomic Test #1 - Clear Logs

• Atomic Test #2 - Delete System Logs Using Clear-EventLog

Atomic Test #1 - Clear Logs

Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
log_name	Windows Log Name, ex System	String	System

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

wevtutil cl #{log_name}

Atomic Test #2 - Delete System Logs Using Clear-EventLog

Clear event logs using built-in PowerShell commands. Upon successful execution, you should see the list of deleted event logs Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$logs = Get-EventLog -List | ForEach-Object {$_.Log}
$logs | ForEach-Object {Clear-EventLog -LogName $_ }
Get-EventLog -list