Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
The event logs can be cleared with the following utility commands:
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| chronicle | Chronicle | technique_scores | T1070.001 | Clear Windows Event Logs |
Comments
Chronicle is able to trigger an alert based on suspicious system events used to evade defenses, such as deletion of Windows security event logs.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral
References
|