Skip to content
Threat Feed
low advisory

Windows Event Log Clearing Attempt Detected

Adversaries clear Windows event logs to evade detection and destroy forensic evidence, breaking SIEM detections and covering their tracks.

Attackers often attempt to clear Windows event logs to evade detection and destroy forensic evidence. This technique is used to break SIEM detections, cover tracks, and slow down incident response. Windows event logs are a fundamental data source for security monitoring, forensics, and incident response, making their integrity crucial for defenders. This rule focuses on detecting clear actions on the Security and System event logs, providing an alert when such activity is observed. This behavior is often indicative of post-compromise activity and an attempt to hide malicious actions already taken on the system.

Attack Chain

  1. The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
  2. The attacker escalates privileges to gain administrative access required to clear logs.
  3. The attacker uses a command-line tool such as wevtutil or PowerShell to clear the Security or System event logs.
  4. The system records an event with the event ID indicating that the event logs have been cleared (event.action:"audit-log-cleared" or "Log clear").
  5. The event is logged in the Security or System channel (winlog.channel: ("Security" or "System")).
  6. Security monitoring tools ingest the event data.
  7. The detection rule identifies the log clearing activity based on the event data.
  8. The attacker continues with their objectives, now with reduced chances of being detected through standard log analysis.

Impact

Successful clearing of Windows event logs can severely hinder incident response efforts. By removing critical forensic data, attackers can obscure their activities, making it difficult to determine the scope and nature of the compromise. This can lead to prolonged dwell time, increased data exfiltration, and greater overall damage. The absence of event logs prevents defenders from identifying the initial attack vector, lateral movement, and other malicious actions performed on the system.

Recommendation

  • Deploy the Sigma rule "Windows Event Logs Cleared" to your SIEM to detect log clearing attempts based on event.action and winlog.channel.
  • Investigate any alerts generated by the Sigma rule, focusing on the process execution chain and user accounts involved, as described in the rule's note section.
  • Enable and monitor Windows Security and System Event Logs to ensure that log clearing attempts are captured.
  • Review and harden access controls to prevent unauthorized users from clearing event logs.
  • Implement a log forwarding solution to a secure, centralized logging server to preserve logs even if they are cleared on the endpoint.

Detection coverage 3

Windows Event Logs Cleared

low

Detects attempts to clear Windows event log stores.

sigma tactics: defense_evasion techniques: T1070.001 sources: system, windows

Windows Event Logs Cleared - Wevtutil

medium

Detects attempts to clear Windows event logs using Wevtutil.

sigma tactics: defense_evasion techniques: T1070.001 sources: process_creation, windows

Windows Event Logs Cleared - PowerShell Clear-EventLog

medium

Detects attempts to clear Windows event logs using PowerShell Clear-EventLog cmdlet.

sigma tactics: defense_evasion techniques: T1070.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →