Clear Windows Event Logs

Information

• Name: Clear Windows Event Logs

• ID: T1070.001

• Tactics:

• Technique:

Introduction

Clearing Windows Event Logs (MITRE ATT&CK sub-technique T1070.001) is a common adversary tactic used to conceal malicious activity and hinder forensic investigations. Attackers often clear or manipulate event logs on compromised Windows systems to remove evidence of their intrusion, execution of malicious code, or lateral movement activities. This sub-technique is categorized under the broader technique "Indicator Removal on Host" (T1070) within the MITRE ATT&CK framework.

Deep Dive Into Technique

Windows operating systems maintain extensive event logs, capturing system, security, application, and operational events. Attackers frequently target these logs to erase traces of their activities. This sub-technique typically involves the following technical methods and mechanisms:

• Built-in Windows Utilities:

  • Attackers commonly utilize built-in Windows command-line utilities such as wevtutil.exe or PowerShell cmdlets to clear event logs:

    • wevtutil cl <logname> (e.g., wevtutil cl Security)

    • PowerShell commands such as Clear-EventLog -LogName Security

  • These built-in tools require administrative privileges to run successfully.

• Manual Event Log Deletion:

  • Attackers may directly delete or overwrite event log files located in %SystemRoot%\System32\winevt\Logs\.

  • Common log files targeted include Security.evtx, System.evtx, and Application.evtx.

• Third-party Tools and Malware:

  • Specialized malware or hacking tools may incorporate event log clearing capabilities.

  • Examples include advanced persistent threat (APT) toolkits or popular offensive security frameworks like Metasploit and Cobalt Strike.

• Selective Log Deletion or Tampering:

  • Rather than clearing entire logs, sophisticated attackers may selectively delete or overwrite specific log entries to avoid suspicion.

  • This selective approach can make detection more challenging and forensic analysis less effective.

When this Technique is Usually Used

Clearing Windows Event Logs is predominantly observed during the following attack scenarios and stages:

• Post-Exploitation and Privilege Escalation:

  • After gaining administrative privileges, attackers clear logs to hide evidence of privilege escalation attempts and successful exploitations.

• Lateral Movement and Persistence:

  • Attackers frequently clear logs after lateral movement activities (such as remote logins, remote code execution, or credential theft) to evade detection during incident response investigations.

• Data Exfiltration:

  • Logs may be cleared to conceal evidence of data access, transfer, or exfiltration activities.

• Cleanup and Anti-Forensics:

  • As part of the final stages of an attack, adversaries commonly erase logs to complicate forensic analysis, incident response, and attribution efforts.

• Malware Installation and Execution:

  • Clearing logs after malware installation or execution prevents defenders from identifying suspicious processes, file creations, or unauthorized activities.

How this Technique is Usually Detected

Detection of event log clearing activities involves multiple monitoring strategies, tools, and indicators of compromise (IoCs):

• Event Log Monitoring:

  • Monitor Windows event IDs associated specifically with log clearing:

    • Event ID 1102 (Security log cleared)

    • Event ID 104 (System log cleared)

  • Configure alerting on these event IDs to detect suspicious clearing activities promptly.

• Endpoint Detection and Response (EDR) Tools:

  • EDR solutions can detect suspicious command-line activities or process executions indicative of log clearing (wevtutil.exe, Clear-EventLog cmdlets).

  • Behavioral analysis can flag unusual or anomalous use of administrative tools.

• Centralized Log Management and SIEM:

  • Implement centralized logging solutions and Security Information and Event Management (SIEM) systems to detect log clearing events through correlation rules and real-time alerts.

  • SIEM correlation rules can detect sudden disappearance of logs or abnormal log activity patterns.

• File Integrity Monitoring (FIM):

  • FIM tools (e.g., OSSEC, Tripwire) can detect unauthorized changes, deletions, or modifications to log files (.evtx files).

• Indicators of Compromise (IoCs):

  • Presence of the following events or artifacts can indicate log clearing:

    • Sudden gaps or missing timeframes in event logs.

    • Presence of wevtutil.exe or PowerShell commands in process execution logs.

    • Suspicious deletions or modifications of log files in %SystemRoot%\System32\winevt\Logs\.

Why it is Important to Detect This Technique

Early detection of Windows Event Log clearing activities is critical due to the following potential impacts and considerations:

• Loss of Critical Evidence:

  • Event logs provide essential forensic evidence for incident response and investigation. Clearing logs severely hampers the ability to reconstruct attacker actions, timelines, and entry points.

• Delayed Incident Response:

  • Without logs, incident responders may struggle to identify and contain threats promptly, allowing attackers extended dwell time within compromised networks.

• Increased Risk of Persistent Compromise:

  • Attackers clearing logs may have established persistence mechanisms that remain undetected, increasing the likelihood of long-term compromise and further malicious activities.

• Compliance and Regulatory Implications:

  • Organizations subject to regulatory compliance (e.g., PCI DSS, HIPAA, GDPR) may face penalties if attackers clear logs, preventing required audit trails and reporting.

• Reduced Attribution Capability:

  • Loss of log data significantly reduces the chance of attributing attacks to specific threat actors, complicating threat intelligence and future defense strategies.

Examples

Real-world examples and attack scenarios involving the clearing of Windows Event Logs include:

• APT29 (Cozy Bear):

  • Known to clear event logs using commands such as wevtutil cl Security to erase evidence of credential theft, lateral movement, and persistence activities during espionage campaigns.

• NotPetya Ransomware (2017):

  • NotPetya malware cleared event logs as part of its destructive payload, severely complicating forensic analysis and remediation efforts for impacted organizations globally.

• FIN7 Cybercrime Group:

  • FIN7 attackers have been documented using PowerShell and built-in Windows utilities to clear event logs after deploying malware and stealing payment card information from compromised point-of-sale systems.

• Metasploit Framework Usage:

  • Attackers leveraging Metasploit modules often incorporate commands to clear event logs as part of automated post-exploitation procedures, reducing the likelihood of detection during penetration tests or malicious intrusions.

• Emotet Malware:

  • Emotet infections have been observed clearing event logs after initial infection and lateral movement to evade detection and maintain persistence within enterprise environments.

In each of these scenarios, attackers aimed to eliminate evidence of their intrusion, complicating detection, response, and forensic investigations, underscoring the importance of robust monitoring and detection strategies.