detection.wiki

ATT&CK coverage › Technique

Indicator Removal: Clear Windows Event Logs T1070.001

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

Events covered

6 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4719System audit policy was changed.
Eventlog104The LogFileCleared.Channel log file was cleared.
Eventlog1100The event logging service has shut down.
Eventlog1102The audit log was cleared.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 10 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (11 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Channel3eq 2, in 1System, Security, Microsoft-Windows-PowerShell/Operational
Provider_Name3eq 3Microsoft-Windows-Eventlog, Security
Image2ends_with 2\wmic.exe, \pwsh.exe, \wevtutil.exe, \logman.exe
OriginalFileName2eq 2wevtutil.exe, Logman.exe
CommandLine2match 2Limit-EventLog , Clear, Remove-EventLog , delete , SYSMON TRACE
EventID2eq 2104, 1102, 1100
AuditPolicyChangesDescription1eq 1, in 1Success removed, Success Added
SubCategory1in 1Process Creation, Security Group Management, User Account Management
EventType1in 1Log clear, audit-log-cleared
ScriptBlockText1match 1Limit-EventLog , Remove-EventLog , Clear-WinEvent
ParentImage1eq 1C:\Windows\SysWOW64\msiexec.exe, C:\Windows\System32\msiexec.exe

Top indicator values (62 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Provider_NameeqMicrosoft-Windows-Eventlog33
ChanneleqSystem22
ChanneleqMicrosoft-Windows-PowerShell/Operational22
ChanneleqMicrosoft-Windows-Sysmon/Operational22
ChanneleqWindows PowerShell22
ChanneleqSecurity22
ChanneleqPowerShellCore/Operational22
SubCategoryinOther System Events1
SubCategoryinLogon1
SubCategoryinProcess Creation1
AuditPolicyChangesDescriptioninSuccess Added1
AuditPolicyChangesDescriptioneqSuccess removed1
AuditPolicyChangesDescriptioninSuccess removed1
SubCategoryinSecurity Group Management1
SubCategoryinAudit Policy Change1
SubCategoryinUser Account Management1
EventTypeinaudit-log-cleared1
EventTypeinLog clear1
ChannelinSecurity1
ChannelinSystem1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 6 rules

Elastic 2 rules

Splunk 2 rules