T1070.001 Clear Windows Event Logs

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

With administrator privileges, the event logs can be cleared with the following utility commands:

  • <code>wevtutil cl system</code>
  • <code>wevtutil cl application</code>
  • <code>wevtutil cl security</code>

These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)

Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.06 Encryption management practices Mitigates T1070.001 Clear Windows Event Logs
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
References
    PR.PS-01.07 Cryptographic keys and certificates Mitigates T1070.001 Clear Windows Event Logs
    Comments
    This diagnostic statement protects against Clear Windows Event Logs through the use of key management. Employing key protection strategies for key material used in protection of event logs, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to clear system logs.
    References
      ID.AM-08.03 Data governance and lifecycle management Mitigates T1070.001 Clear Windows Event Logs
      Comments
      This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
      References
        ID.AM-08.05 Data destruction procedures Mitigates T1070.001 Clear Windows Event Logs
        Comments
        This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
        References
          PR.PS-01.05 Encryption standards Mitigates T1070.001 Clear Windows Event Logs
          Comments
          This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            CA-07 Continuous Monitoring mitigates T1070.001 Clear Windows Event Logs
            CM-06 Configuration Settings mitigates T1070.001 Clear Windows Event Logs
            AC-17 Remote Access mitigates T1070.001 Clear Windows Event Logs
            CP-07 Alternate Processing Site mitigates T1070.001 Clear Windows Event Logs
            CP-06 Alternate Storage Site mitigates T1070.001 Clear Windows Event Logs
            SC-36 Distributed Processing and Storage mitigates T1070.001 Clear Windows Event Logs
            SI-23 Information Fragmentation mitigates T1070.001 Clear Windows Event Logs
            CP-09 System Backup mitigates T1070.001 Clear Windows Event Logs
            AC-19 Access Control for Mobile Devices mitigates T1070.001 Clear Windows Event Logs
            SC-04 Information in Shared System Resources mitigates T1070.001 Clear Windows Event Logs
            SI-12 Information Management and Retention mitigates T1070.001 Clear Windows Event Logs
            SI-03 Malicious Code Protection mitigates T1070.001 Clear Windows Event Logs
            SI-07 Software, Firmware, and Information Integrity mitigates T1070.001 Clear Windows Event Logs
            AC-16 Security and Privacy Attributes mitigates T1070.001 Clear Windows Event Logs
            AC-18 Wireless Access mitigates T1070.001 Clear Windows Event Logs
            CM-02 Baseline Configuration mitigates T1070.001 Clear Windows Event Logs
            SI-04 System Monitoring mitigates T1070.001 Clear Windows Event Logs
            AC-02 Account Management mitigates T1070.001 Clear Windows Event Logs
            AC-03 Access Enforcement mitigates T1070.001 Clear Windows Event Logs
            AC-05 Separation of Duties mitigates T1070.001 Clear Windows Event Logs
            AC-06 Least Privilege mitigates T1070.001 Clear Windows Event Logs

            VERIS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            attribute.integrity.variety.Log tampering Log tampering or modification related-to T1070.001 Clear Windows Event Logs

            Azure Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            alerts_for_windows_machines Alerts for Windows Machines technique_scores T1070.001 Clear Windows Event Logs
            Comments
            This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".
            References

            GCP Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            google_secops Google Security Operations technique_scores T1070.001 Clear Windows Event Logs
            Comments
            Google Security Ops is able to trigger an alert based on suspicious system events used to evade defenses, such as deletion of Windows security event logs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral
            References