Skip to content
Threat Feed
low advisory

Windows Event Logs Cleared

Attackers attempt to clear Windows event logs to evade detection and remove forensic evidence of their activities.

Attackers often clear Windows event logs to cover their tracks and hinder forensic investigations. This technique is employed post-compromise to remove evidence of malicious activities, making it difficult for defenders to detect and respond to intrusions. This behavior is typically observed after an attacker has achieved their objectives and seeks to maintain persistence or further compromise the system. By clearing logs, attackers can evade detection and prolong their access to the compromised environment. This can occur through various means, but the end result is the deletion of Security or System event logs, which are critical for security monitoring. This activity aims to disrupt incident response and evade SIEM detections.

Attack Chain

  1. Initial compromise of the system via phishing, exploitation, or credential theft.
  2. Privilege escalation to gain administrative access to the system.
  3. Discovery of event log locations and tools for clearing logs.
  4. Execution of commands or tools to clear the Security or System event logs.
  5. Verification of event log clearance to confirm the action’s success.
  6. Continued malicious activity without leaving obvious traces in the logs.
  7. Attempts to disable or tamper with security monitoring tools to prevent future detection.

Impact

The successful clearing of Windows event logs can severely impair an organization’s ability to detect and respond to security incidents. The absence of log data hinders forensic investigations and prevents the identification of malicious activities. This can lead to prolonged intrusions, data breaches, and significant financial losses. The low severity reflects the fact that while impactful, this behavior often occurs post-compromise.

Recommendation

  • Deploy the Sigma rule “Windows Event Logs Cleared” to your SIEM to detect attempts to clear event logs (rule.name).
  • Investigate any alerts generated by the “Windows Event Logs Cleared” Sigma rule, focusing on the process execution chain and user accounts involved (rule.note).
  • Enable Sysmon process creation logging to provide more detailed information about processes involved in clearing event logs (logsource.category).

Detection coverage 2

Windows Event Logs Cleared

medium

Detects attempts to clear Windows event logs by monitoring for specific event IDs associated with log clearing.

sigma tactics: defense_evasion techniques: T1070.001 sources: event_audit, windows

Suspicious Process Clearing Windows Event Logs

high

Detects suspicious processes that may be used to clear Windows event logs.

sigma tactics: defense_evasion techniques: T1070.001 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →