Detect Clear Windows Event Logs in Elastic Security
Adversaries clear Windows Event Logs to remove evidence of intrusion activity. Primary methods include the wevtutil command-line utility (wevtutil cl system/security/application), the PowerShell Remove-EventLog cmdlet, the Windows Event Viewer GUI, and direct deletion of .evtx log files from C:\Windows\System32\winevt\logs\. When a log is cleared, Windows generates Event ID 1102 (Security log cleared) in the Security log and Event ID 104 (System log cleared) in the System log — but these disappear if the generating log is also cleared. APT28, APT38, APT41, Volt Typhoon, LockBit 2.0/3.0, RansomHub, NotPetya, Olympic Destroyer, BlackCat, and many others routinely clear event logs as post-compromise cleanup.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.001 Clear Windows Event Logs
- Canonical reference
- https://attack.mitre.org/techniques/T1070/001/
Elastic Detection Query
any where
(
event.provider == "Microsoft-Windows-Eventlog" and
event.code in ("1102", "104")
)
or
(
event.category == "process" and
process.name == "wevtutil.exe" and
process.args : ("cl", "clear-log", "clear")
)
or
(
event.category == "process" and
process.name : ("powershell.exe", "pwsh.exe") and
process.command_line : ("*Remove-EventLog*", "*Clear-EventLog*", "*wevtutil*cl*", "*wevtutil*clear*")
)Detects Windows Event Log clearing using three vectors: Event ID 1102 (Security log cleared) and 104 (System log cleared) from the Windows Eventlog provider, wevtutil.exe process invocations with clear-family arguments, and PowerShell Remove-EventLog or Clear-EventLog cmdlets. Uses ECS fields compatible with Elastic Agent and Winlogbeat ingestion pipelines.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using wevtutil during scheduled maintenance windows to enforce log size policies or rotate archived .evtx files
- Automated backup or compliance scripts that clear application event logs after successfully exporting them to a SIEM or cold storage
- Security tools and endpoint agents (e.g., AV, EDR installers) invoking Clear-EventLog or wevtutil as part of clean-install or upgrade routines
Other platforms for T1070.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear Security Event Log with wevtutil
Expected signal: Windows Event Log: Security Event ID 1102 (The audit log was cleared) generated just before the log is cleared. Sysmon Event ID 1: wevtutil.exe process creation with 'cl Security' argument. After clearing, the Security log is empty except for the Event ID 4608 (Windows is starting up) that follows a fresh log.
- Test 2Clear Multiple Event Logs Using wevtutil Loop
Expected signal: Multiple Sysmon Event ID 1 events for wevtutil.exe with different log names. Security Event ID 1102 for Security log. System Event ID 104 for each other log cleared. The for loop structure will appear in the parent cmd.exe command line.
- Test 3Clear Event Log via PowerShell Remove-EventLog
Expected signal: PowerShell process creation with Remove-EventLog command. Sysmon Event ID 13 (Registry): removal of the EventLog registry key under HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ArgusTest. System Event ID 104 may be generated for the deleted log.
References (5)
- https://attack.mitre.org/techniques/T1070/001/
- https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil
- https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog
- https://ptylu.github.io/content/report/report.html?report=25
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
Unlock Pro Content
Get the full detection package for T1070.001 including response playbook, investigation guide, and atomic red team tests.