detection.wiki

Indicator Removal: Clear Windows Event Logs T1070.001

Tactic: Stealth

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

Events covered

8 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4719System audit policy was changed.
EventlogEvent ID 104The LogFileCleared.Channel log file was cleared.
EventlogEvent ID 1102The audit log was cleared.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
PowerShellEvent ID 800Event ID 800

Authoring guide

Patterns shared across the 14 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (25 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine3contains 2, regex_match 1cl, clear-log, cleareventlog, wevtutil.*cl.*(system|application|security), wmic
ScriptBlockText3contains 2, eq 1clear-eventlog, .clear, .clearlog, clearlog, logname
EventData2contains 2clear-eventlog, clearlog, logname, system.diagnostics.eventing.reader.eventlogsession
Image2ends_with 2\wevtutil.exe, \wmic.exe
OriginalFileName2eq 2, in 2powershell.exe, auditpol.exe, logman.exe, powershell_ise.exe, pwsh.dll
Payload2contains 2clear-eventlog, clearlog, logname, system.diagnostics.eventing.reader.eventlogsession
event.type2eq 2start
process.args2eq 2, starts_with 1/e:false, /success:disable, Clear-EventLog, Disabled, EventLog
process_name2eq 2powershell.exe, auditpol.exe, logman.exe, powershell_ise.exe, pwsh.exe
AuditPolicyChangesDescription1eq 1, in 1Success Added, Success removed
EventID1eq 1104, 1102, 517
EventType1in 1Log clear, audit-log-cleared
SubCategory1in 1Audit Policy Change, Logon, Other System Events
event.category1eq 1process
event_platform1eq 1Win

Top indicator values (79 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
OriginalFileNamein
powershell.exe
217
OriginalFileNamein
powershell_ise.exe
29
OriginalFileNamein
pwsh.dll
210
event.typeeq
start
2606
process_nameeq
powershell.exe
2104
process_nameeq
powershell_ise.exe
250
process_nameeq
pwsh.exe
262
AuditPolicyChangesDescriptioneq
Success removed
1
AuditPolicyChangesDescriptionin
Success Added
1
AuditPolicyChangesDescriptionin
Success removed
1
CommandLinecontains
cl
13
CommandLinecontains
clear-log
12
CommandLinecontains
cleareventlog
12
CommandLinecontains
wmic
16
CommandLineregex_match
wevtutil.*cl.*(system|application|security)
1
EventDatacontains
clear-eventlog
1
EventDatacontains
clearlog
1
EventDatacontains
logname
1
EventDatacontains
system.diagnostics.eventing.reader.eventlogsession
1
EventIDeq
104
12
EventIDeq
1102
14
EventIDeq
517
1
EventTypein
Log clear
1
EventTypein
audit-log-cleared
1
Imageends_with
\wevtutil.exe
19
Imageends_with
\wmic.exe
160
OriginalFileNameeq
auditpol.exe
110
OriginalFileNameeq
logman.exe
12
OriginalFileNameeq
wevtutil.exe
17
Payloadcontains
clear-eventlog
1

Exclusions (3 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Esql.winlog_AuditPolicyChangesDescription_valuescontains
success added
1
ScriptBlockTexteq
cmdletstoexport=@("add-content"
1
file.directoryeq
C:\Program...
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 5 rules

Elastic 5 rules

Splunk 2 rules

YARA-L 1 rule

Panther 1 rule