#T1070.001 Clear Windows Event Logs

Technique

  • Tactics: Defense Evasion
  • Description:

    Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

    With administrator privileges, the event logs can be cleared with the following utility commands:

    * <code>wevtutil cl system</code>
    * <code>wevtutil cl application</code>
    * <code>wevtutil cl security</code>

    These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)

    Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.

  • First Seen: Lazarus group Campaign Targeting The Cryptocurrency Vertical • 2020-08-18
MITRE ATT&CK

Tagged Reports

2024-07-19
Cyfirma
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1562.001 #T1190 #T1068 #T1543.003 #T1056 #T1595.002 #T1059.003 #T1566 #T1485 #T1218.011 #T1069.002 #T1010 #T1571 #T1102.001 #T1583.001 #T1555.003 #T1033 #T1497.001 #T1203 #T1036 #T1012 #T1027 #T1583.003 #T1071 #T1562.004 #T1614 #T1027.005 #T1548 #T1552 #T1140 #T1005 #T1053.005 #T1564.001 #T1555 #T1129 #T1070.001 #T1046 #T1070 #T1095 #T1569.002 #T1562 #T1573 #T1047 #T1552.001 #T1057 #T1082 #T1518.001 #T1176 #T1090 #T1518 #T1539 #T1041 #T1564 #T1560 #T1202 #T1071.001 #T1547 #T1112 #T1497 #T1059.001 #T1124 #T1056.001 #T1222 #T1070.006 #T1059 #T1564.003 #T1222.001 #T1056.004 #T1547.001 #T1584 #T1087.002 #T1070.004 #T1505.003 #T1113 #T1608.005 #T1204.002 #T1087 #T1574.002 #T1115 #T1083 #T1490 #T1053 #T1486 #T1566.002 #T1133 #T1021.004 #T1003
2023-12-19
Picus Security
#Play #Ransomware #T1078 #T1518.001 #T1190 #T1562.001 #T1016 #T1486 #T1133 #T1570 #T1560.001 #T1048 #T1070.001 #T1552 #T1003
2023-04-20
Mandiant
#SupplyChain #UNC4736 #YARA #3CXDesktopApp #SmoothOperator #X_Trader #UNC4469 #UNC3782 #T1573 #T1190 #T1608 #T1036 #T1012 #T1588.004 #T1027 #T1622 #T1071 #T1565.001 #T1082 #T1574 #T1614 #T1614.001 #T1620 #T1140 #T1608.003 #T1070.004 #T1036.001 #T1195 #T1071.004 #T1070.001 #T1105 #T1071.001 #T1195.002 #T1588 #T1055 #T1574.002 #T1070 #T1112 #T1083 #T1565 #T1497 #T1573.002 #T1497.001
2022-08-24
SKShildus
#Ransomware #Gwisin #T1589.001 #T1047 #T1036.003 #T0807 #T1595.002 #T1059.003 #T1003.001 #T1140 #T1587.001 #T1041 #T1608.001 #T1021.002 #T1070.001 #T1590 #T1218.007 #T1083 #T1490 #T1486 #T1110 #T1021.001 #T1021.004 #T1021.006
2021-05-21
Macnica
#Trend #CloudDragon #T1055.012 #T1047 #T1027 #T1560.001 #T1543.003 #T1071 #T1482 #T1518.001 #T1566.001 #T1053.002 #T1218.011 #T1547.001 #T1140 #T1087.002 #T1003.002 #T1053.005 #T1204.002 #T1070.001 #T1071.001 #T1574.001 #T1574.002 #T1003.003 #T1059.001 #T1036.005 #T1133 #T1021.001
2021-03-23
Sygnia
#MATA #TFlower #Lazarus #T1055.001 #T1112 #T1070.004 #T1547.005 #T1562 #T1053.005 #T1070.003 #T1113 #T1572 #T1486 #T1021.002 #T1036.005 #T1573.001 #T1552.001 #T1021.001 #T1021.004 #T1070.001 #T1008
2020-10-23
With Secure
#Lazarus #T1562.001 #T1053.005 #T1003.001 #T1055.002 #T1021.001 #T1070.001 #T1021.005
2020-08-18
With Secure
#Cryptocurrency #Whitepaper #YARA #Lazarus #T1059.005 #T1566.003 #T1552.001 #T1543.003 #T1027.002 #T1059.003 #T1003.001 #T1021.005 #T1070.004 #T1053.005 #T1078.002 #T1055.002 #T1070.001 #T1071.001 #T1112 #T1547.005 #T1083 #T1218.005 #T1059.001 #T1021.001
« Back