Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
With administrator privileges, the event logs can be cleared with the following utility commands:
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement protects against Clear Windows Event Logs through the use of key management. Employing key protection strategies for key material used in protection of event logs, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to clear system logs.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Log tampering | Log tampering or modification | related-to | T1070.001 | Clear Windows Event Logs |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1070.001 | Clear Windows Event Logs |
Comments
The Microsoft Sentinel Hunting "Security Event Log Cleared" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1070.001 | Clear Windows Event Logs |
Comments
This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1070.001 | Clear Windows Event Logs |
Comments
Google Security Ops is able to trigger an alert based on suspicious system events used to evade defenses, such as deletion of Windows security event logs.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral
References
|