GET /api/techniques/133/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 133,
"key": "indicator-removal-clear-windows-event-logs",
"unprotect_id": "T1070.001,U0302",
"name": "Indicator Removal: Clear Windows Event Logs",
"description": "Event logging is a process that records important software and hardware events from various sources and stores them in a centralized location called an event log. This service is commonly used by applications and operating systems to track and troubleshoot issues, and can be a valuable tool for forensic investigations.\r\n\r\nEvent logs can provide valuable information about the actions taken by an attacker during a security breach, including the time and date of the attack, the source of the attack, and any changes made to the system. However, attackers may attempt to delete or clear event logs to conceal their actions and evade detection.\r\n\r\nForensic investigators can look for signs of event log tampering by checking for the presence of event clear ID 1102, which indicates that the audit log has been cleared. This can be an indication that an attacker has attempted to cover their tracks.",
"resources": "https://0x00sec.org/t/anti-forensic-and-file-less-malware/10008#221-disabling-event-logging\nhttps://attack.mitre.org/techniques/T1070/001/\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102",
"creation_date": "2019-03-23T18:23:34Z",
"tags": "Defense Evasion\r\nevent, \r\nlog,\r\nwevtutil cl system,\r\nwevtutil cl application,\r\nwevtutil cl security,\r\nwipe logs,\r\nAPT28,\r\nAPT32,\r\nAPT38,\r\nAPT41,",
"modification_date": "2023-10-04T10:44:13.015000Z",
"category": [
8,
10
],
"rules": [
11,
12
],
"attachments": [],
"featured_api": [],
"contributors": []
}
