Clearing Windows Event Logs with wevtutil¶

Identifies attempts to clear Windows event logs with the command wevtutil.

id:	5b223758-07d6-4100-9e11-238cfdd0fe97
categories:	detect
confidence:	low
os:	windows
created:	11/30/2018
updated:	11/30/2018

MITRE ATT&CK™ Mapping¶

tactics:	Defense Evasion
techniques:	T1070 Indicator Removal on Host

Query¶

process where subtype.create and
  process_name == "wevtutil.exe" and command_line == "* cl *"

Detonation¶

Atomic Red Team: T1070

Contributors¶

Endgame

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.