T1070.001 Google Chronicle · YARA-L

Detect Clear Windows Event Logs in Google Chronicle

Adversaries clear Windows Event Logs to remove evidence of intrusion activity. Primary methods include the wevtutil command-line utility (wevtutil cl system/security/application), the PowerShell Remove-EventLog cmdlet, the Windows Event Viewer GUI, and direct deletion of .evtx log files from C:\Windows\System32\winevt\logs\. When a log is cleared, Windows generates Event ID 1102 (Security log cleared) in the Security log and Event ID 104 (System log cleared) in the System log — but these disappear if the generating log is also cleared. APT28, APT38, APT41, Volt Typhoon, LockBit 2.0/3.0, RansomHub, NotPetya, Olympic Destroyer, BlackCat, and many others routinely clear event logs as post-compromise cleanup.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.001 Clear Windows Event Logs
Canonical reference
https://attack.mitre.org/techniques/T1070/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1070_001_clear_windows_event_logs {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects clearing of Windows Event Logs via EventID 1102/104 or wevtutil/PowerShell process execution"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.001"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "Windows"
    created = "2026-04-17"

  events:
    $e.metadata.vendor_name = "Microsoft"
    (
      $e.metadata.product_event_type = "1102" or
      $e.metadata.product_event_type = "104" or
      (
        re.regex($e.target.process.file.full_path, `(?i)wevtutil\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(^|\s)(cl|clear-log|clear)(\s|$)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)(\.exe)?$`) and
        re.regex($e.target.process.command_line, `(?i)(Remove-EventLog|Clear-EventLog)`)
      )
    )

  condition:
    $e
}
high severity high confidence

Google Chronicle YARA-L 2.0 rule detecting Windows Event Log clearing. Matches UDM events with Microsoft product_event_type 1102 (Security log cleared) or 104 (System log cleared), plus process-based indicators: wevtutil.exe with clear-family arguments and PowerShell Remove-EventLog or Clear-EventLog cmdlets. Targets principal/target UDM process telemetry ingested via Chronicle forwarder or MDE integration.

Data Sources

Google Chronicle UDM (Windows Event Log via Chronicle forwarder)Microsoft Defender for Endpoint via Chronicle integrationChronicle Endpoint Detection telemetry

Required Tables

UDM entity and event store (Chronicle ingestion pipeline)

False Positives & Tuning

  • Legitimate administrative use of wevtutil for log size management or workstation provisioning workflows that include a clear-log step
  • Security orchestration platforms or SOAR playbooks using PowerShell Clear-EventLog to reset test environment event logs between test runs
  • Vendor-supplied management agents or MDM solutions that clear application event logs during installation or update processes
Download portable Sigma rule (.yml)

Other platforms for T1070.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Clear Security Event Log with wevtutil

    Expected signal: Windows Event Log: Security Event ID 1102 (The audit log was cleared) generated just before the log is cleared. Sysmon Event ID 1: wevtutil.exe process creation with 'cl Security' argument. After clearing, the Security log is empty except for the Event ID 4608 (Windows is starting up) that follows a fresh log.

  2. Test 2Clear Multiple Event Logs Using wevtutil Loop

    Expected signal: Multiple Sysmon Event ID 1 events for wevtutil.exe with different log names. Security Event ID 1102 for Security log. System Event ID 104 for each other log cleared. The for loop structure will appear in the parent cmd.exe command line.

  3. Test 3Clear Event Log via PowerShell Remove-EventLog

    Expected signal: PowerShell process creation with Remove-EventLog command. Sysmon Event ID 13 (Registry): removal of the EventLog registry key under HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ArgusTest. System Event ID 104 may be generated for the deleted log.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1070.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1562.002Disable Windows Event LoggingT1078Valid AccountsT1059.001PowerShellT1569.002Service Execution

Same Tactic: Defense Evasion

Popular Detections