Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
The event logs can be cleared with the following utility commands:
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1070.001 | Clear Windows Event Logs |
Comments
This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".
References
|
azure_sentinel | Azure Sentinel | technique_scores | T1070.001 | Clear Windows Event Logs |
Comments
The Azure Sentinel Hunting "Security Event Log Cleared" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.
References
|