Clear Windows Event Logs

Event logging provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event logging service records events from various sources and stores them in a single collection called an event log.

Event logs can be very useful for investigating a computer after an intrusion and understanding the actions taken by an attacker. To avoid a forensic investigation, attackers can delete or clear event logs to avoid understanding the attack.

T1070.001 U0302

Code Snippets

Thomas Roccia

Description

Common commands found in malware.

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

Detection Rules

rule:
  meta:
    name: clear the Windows event log
    namespace: anti-analysis/anti-forensic/clear-logs
    author: michael.hunhoff@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001]
    examples:
      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0
  features:
    - and:
      - api: advapi32.ElfClearEventLogFile
      - optional:
        - api: advapi32.OpenEventLog

rule:
  meta:
    name: crash the Windows event logging service
    namespace: anti-analysis/anti-forensic
    author: michael.hunhoff@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]
    references:
      - https://github.com/limbenjamin/LogServiceCrash
    examples:
      - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0
  features:
    - and:
      - count(api(advapi32.ElfClearEventLogFileW)): 3 or more
      - count(api(advapi32.OpenEventLogA)): 1 or more
title: Stop multiple services
status: experimental
description: Stop multiple services
author: Joe Security
date: 2019-12-30
id: 200040
threatname:
behaviorgroup: 18
classification: 8
mitreattack:

logsource:
      category: process_creation
      product: windows
detection:
      selection:      
          CommandLine:
              - '*cmd*net stop*& net stop*& net stop*& net stop*& net stop*& net stop*& net stop*'
      condition: selection
level: critical

Additional Resources

Subscribe to our Newsletter


The information entered into this form is mandatory. It will be subjected to computer processing. It is processed by computer in order to support our users and readers. The recipients of the data will be : contact@unprotect.it.

According to the Data Protection Act of January 6th, 1978, you have at any time, a right of access to and rectification of all of your personal data. If you wish to exercise this right and gain access to your personal data, please write to Thomas Roccia at contact@unprotect.it.

You may also oppose, for legitimate reasons, the processing of your personal data.