Clear Windows Event Logs

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are record of a computer's alert and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

The event logs can be cleared with the following utility commands:

· Wevtutil cl system

· Wevtutil cl application

· Wevtutil cl security

These logs may also be cleared through other mechanisms, such as event viewer GUI or PowerShell

Example:

Adversaries with high permissions they can clear all their malicious steps taken in an environment, even though not the stealthiest but still a reliable way to remove tracks is to clear the Windows Event Logs, here is a sample on a Logon Event in Windows.

That is one example of a User login into the System and hunting for malicious activity, we also have some more in-depth examples with PowerShell we can enable Script Logging and have a detailed view on what is going on, adversaries tend to use PowerShell for it's In-Memory capability for fileless payloads.

In the above sample a user is invoking PowerShell with one common cmdlet to view what processes are running. So let's delete them some common ones "Security" from the logs and remove our tracks showing a clean slate.

Careful as you can see below an Event is Created as well that the logs have been cleared. It even says who did it and the time so be aware of this.

Of Course this is not a good thing to do in an environment you are assessing as you are trying to make the Blue Team better, remember be Ethical.

PreviousT1070: Indicator Removal on Host NextClear Command History

Last updated 3 years ago