Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
With administrator privileges, the event logs can be cleared with the following utility commands:
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1070.001 | Indicator Removal on Host: Clear Windows Event Logs | |
| attribute.integrity.variety.Log tampering | Log tampering or modification | related-to | T1070.001 | Indicator Removal on Host: Clear Windows Event Logs |