title: Clear Windows Event Logs
description: Detects the clearing of EventLogs through wevtutil (concise) as well
  as Clear-EventLog through CommandLine and CommandScript objects. Powershell cmdlet
  detection returns a lot of noise for the CommandScripts object, so filtering out
  SrcProcParentName may be required.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Defense Evasion
   technique: T1070
   subtechnique: 001
operating_system: windows
query: (TgtProcName  = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR ((SrcProcCmdLine
  ContainsCIS "Clear-EventLog" OR SrcProcCmdScript ContainsCIS "Clear-EventLog") AND
  SrcProcParentName Not In ("WmiPrvSE.exe","PFERemediation.exe","svchost.exe"))
false_positives: null
tags: null