T1070.001: T1070.001
Essential information
- MITRE technique ID
T1070.001- Confidence
- 100/100
- Revoked
- No
- Published
- 28/01/2020 18:05
- Modified
- 17/04/2026 13:15
- Author / Source
- The MITRE Corporation
Aliases
Clear Windows Event Logs
Platforms
windows
Description
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
With administrator privileges, the event logs can be cleared with the following utility commands:
* `wevtutil cl system`
* `wevtutil cl application`
* `wevtutil cl security`
These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command `Remove-EventLog -LogName Security` to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.