T1070.001 Clear Windows Event Logs Mappings

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

The event logs can be cleared with the following utility commands:

  • <code>wevtutil cl system</code>
  • <code>wevtutil cl application</code>
  • <code>wevtutil cl security</code>

These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1070.001 Clear Windows Event Logs
AC-17 Remote Access Protects T1070.001 Clear Windows Event Logs
AC-18 Wireless Access Protects T1070.001 Clear Windows Event Logs
AC-19 Access Control for Mobile Devices Protects T1070.001 Clear Windows Event Logs
AC-2 Account Management Protects T1070.001 Clear Windows Event Logs
AC-3 Access Enforcement Protects T1070.001 Clear Windows Event Logs
AC-5 Separation of Duties Protects T1070.001 Clear Windows Event Logs
AC-6 Least Privilege Protects T1070.001 Clear Windows Event Logs
CA-7 Continuous Monitoring Protects T1070.001 Clear Windows Event Logs
CM-2 Baseline Configuration Protects T1070.001 Clear Windows Event Logs
CM-6 Configuration Settings Protects T1070.001 Clear Windows Event Logs
CP-6 Alternate Storage Site Protects T1070.001 Clear Windows Event Logs
CP-7 Alternate Processing Site Protects T1070.001 Clear Windows Event Logs
CP-9 System Backup Protects T1070.001 Clear Windows Event Logs
SC-36 Distributed Processing and Storage Protects T1070.001 Clear Windows Event Logs
SC-4 Information in Shared System Resources Protects T1070.001 Clear Windows Event Logs
SI-12 Information Management and Retention Protects T1070.001 Clear Windows Event Logs
SI-23 Information Fragmentation Protects T1070.001 Clear Windows Event Logs
SI-3 Malicious Code Protection Protects T1070.001 Clear Windows Event Logs
SI-4 System Monitoring Protects T1070.001 Clear Windows Event Logs
SI-7 Software, Firmware, and Information Integrity Protects T1070.001 Clear Windows Event Logs

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1070.001 Clear Windows Event Logs
Comments
This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".
References
    azure_sentinel Azure Sentinel technique_scores T1070.001 Clear Windows Event Logs
    Comments
    The Azure Sentinel Hunting "Security Event Log Cleared" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.
    References