# Clear Windows Event Logs Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are record of a computer's alert and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. The event logs can be cleared with the following utility commands: · Wevtutil cl system · Wevtutil cl application · Wevtutil cl security These logs may also be cleared through other mechanisms, such as event viewer GUI or PowerShell **Example:** Adversaries with high permissions they can clear all their malicious steps taken in an environment, even though not the stealthiest but still a reliable way to remove tracks is to clear the Windows Event Logs, here is a sample on a Logon Event in Windows. ![](/files/-MRhncXeZXCfVXfrbazs) That is one example of a User login into the System and hunting for malicious activity, we also have some more in-depth examples with PowerShell we can enable Script Logging and have a detailed view on what is going on, adversaries tend to use PowerShell for it's In-Memory capability for fileless payloads. ![](/files/-MRhndabX1qt99U8cDoW) In the above sample a user is invoking PowerShell with one common cmdlet to view what processes are running. So let's delete them some common ones "Security" from the logs and remove our tracks showing a clean slate. ![](/files/-MRhneqj3UE8RKNeU-0u) Careful as you can see below an Event is Created as well that the logs have been cleared. It even says who did it and the time so be aware of this. ![](/files/-MRhnfbV6frgS_gMYNZH) Of Course this is not a good thing to do in an environment you are assessing as you are trying to make the Blue Team better, remember be Ethical. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1070-indicator-removal-on-host/clear-windows-event-logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.