Clear Windows Event Logs

Event logging provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event logging service records events from various sources and stores them in a single collection called an event log.

Event logs can be very useful for investigating a computer after an intrusion and understanding the actions taken by an attacker. To avoid a forensic investigation, attackers can delete or clear event logs to avoid understanding the attack.

T1070.001 U0302

Code Snippets

Thomas Roccia

Description

Common commands found in malware.

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

Detection Rules

rule:
  meta:
    name: clear the Windows event log
    namespace: anti-analysis/anti-forensic/clear-logs
    author: michael.hunhoff@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001]
    examples:
      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0
  features:
    - and:
      - api: advapi32.ElfClearEventLogFile
      - optional:
        - api: advapi32.OpenEventLog

rule:
  meta:
    name: crash the Windows event logging service
    namespace: anti-analysis/anti-forensic
    author: michael.hunhoff@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]
    references:
      - https://github.com/limbenjamin/LogServiceCrash
    examples:
      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0
  features:
    - and:
      - count(api(advapi32.ElfClearEventLogFileW)): 3 or more
      - count(api(advapi32.OpenEventLogA)): 1 or more
title: Stop multiple services
status: experimental
description: Stop multiple services
author: Joe Security
date: 2019-12-30
id: 200040
threatname:
behaviorgroup: 18
classification: 8
mitreattack:

logsource:
      category: process_creation
      product: windows
detection:
      selection:      
          CommandLine:
              - '*cmd*net stop*& net stop*& net stop*& net stop*& net stop*& net stop*& net stop*'
      condition: selection
level: critical

Additional Resources

Subscribe to our Newsletter and don't miss important updates