Clearing Windows Event Logs with wevtutil

Identifies attempts to clear Windows event logs with the command wevtutil.

id:5b223758-07d6-4100-9e11-238cfdd0fe97 categories:detect confidence:low os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Defense Evasion techniques:T1070 Indicator Removal on Host

Query

process where subtype.create and
  process_name == "wevtutil.exe" and command_line == "* cl *"

Detonation

Atomic Red Team: T1070

Contributors

• Endgame