T1070.001 Clear Windows Event Logs Mappings

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

The event logs can be cleared with the following utility commands:

  • <code>wevtutil cl system</code>
  • <code>wevtutil cl application</code>
  • <code>wevtutil cl security</code>

These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
chronicle Chronicle technique_scores T1070.001 Clear Windows Event Logs