Clear Windows Event Logs
Event logging provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event logging service records events from various sources and stores them in a single collection called an event log.
Event logs can be very useful for investigating a computer after an intrusion and understanding the actions taken by an attacker. To avoid a forensic investigation, attackers can delete or clear event logs to avoid understanding the attack.
Common commands found in malware.
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
rule: meta: name: clear the Windows event log namespace: anti-analysis/anti-forensic/clear-logs author: email@example.com scope: basic block att&ck: - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001] examples: - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0 features: - and: - api: advapi32.ElfClearEventLogFile - optional: - api: advapi32.OpenEventLog rule: meta: name: crash the Windows event logging service namespace: anti-analysis/anti-forensic author: firstname.lastname@example.org scope: basic block att&ck: - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002] references: - https://github.com/limbenjamin/LogServiceCrash examples: - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0 features: - and: - count(api(advapi32.ElfClearEventLogFileW)): 3 or more - count(api(advapi32.OpenEventLogA)): 1 or more
title: Stop multiple services status: experimental description: Stop multiple services author: Joe Security date: 2019-12-30 id: 200040 threatname: behaviorgroup: 18 classification: 8 mitreattack: logsource: category: process_creation product: windows detection: selection: CommandLine: - '*cmd*net stop*& net stop*& net stop*& net stop*& net stop*& net stop*& net stop*' condition: selection level: critical