title: Clear Windows Event Logs (T1070.001)
id: df00tech-t1070-001
status: experimental
description: "Adversaries clear Windows Event Logs to remove evidence of intrusion activity. Primary methods include the wevtutil command-line utility (wevtutil cl system/security/application), the PowerShell Remove-EventLog cmdlet, the Windows Event Viewer GUI, and direct deletion of .evtx log files from C:\\Windows\\System32\\winevt\\logs\\. When a log is cleared, Windows generates Event ID 1102 (Security log cleared) in the Security log and Event ID 104 (System log cleared) in the System log — but these disappear if the generating log is also cleared. APT28, APT38, APT41, Volt Typhoon, LockBit 2.0/3.0, RansomHub, NotPetya, Olympic Destroyer, BlackCat, and many others routinely clear event logs as post-compromise cleanup."
references:
  - https://attack.mitre.org/techniques/T1070/001/
  - https://df00tech.com/detections/T1070.001
author: df00tech
date: 2026/04/17
tags:
  - attack.t1070.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized IT administrators clearing logs during scheduled maintenance windows
  - Log management scripts that periodically archive and clear logs as part of size management
  - Forensic investigators clearing logs on test or remediated systems after incident response
  - Some enterprise backup or audit solutions that clear logs after export to SIEM
level: high