Description
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
With administrator privileges, the event logs can be cleared with the following utility commands:
wevtutil cl system
wevtutil cl application
* wevtutil cl security
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\.
Platforms
Mitigations (3)
Remote Data StorageM1029
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
Encrypt Sensitive InformationM1041
Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
Restrict File and Directory PermissionsM1022
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has deleted Windows event logs.(Citation: JPCERT MirrorFace JUL 2024) |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) attempted to remove evidence of some of its activity by clearing Windows security and system events.(Ci... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remov... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) clears Window Event logs and Sysmon logs from the system.(Citation: FireEye APT38 Oct 2018) |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used tools to remove log files on targeted systems.(Citation: CISA Play Ransomware Advisory December... |
| G0053 | FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) has cleared event logs from victims.(Citation: Mandiant FIN5 GrrCON Oct 2016) |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021) |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has cleared Windows event logs and other logs produced by tools they used, including system, securi... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has cleared logs during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used [Cobalt Strike](https://attack.mitre.org/software/S0154) to empty log files.(Citation:... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has cleared select event log entries.(Citation: FireEye APT32 May 2017) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has cleared event logs, including by using the commands <code>wevtutil cl System</code> and <code>wevtu... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) clears Windows Event Logs following activity to evade defenses.(Citation: Crowdstrike HuntRepor... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has cleared actor-performed actions from logs.(Citation: Microsoft Silk Typhoon MAR 2025) |
Associated Software (26)
| ID | Name | Type | Context |
|---|---|---|---|
| S1133 | Apostle | Malware | [Apostle](https://attack.mitre.org/software/S1133) will attempt to delete all event logs on a victim machine following file wipe activity.(Citation: S... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) can clear Windows event logs using `wevtutil.exe`.(Citation: Microsoft BlackCat Jun 2022) |
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) clears the system event logs using <code> OpenEventLog/ClearEventLog APIs </code>.(Citation: FinF... |
| S0089 | BlackEnergy | Malware | The [BlackEnergy](https://attack.mitre.org/software/S0089) component KillDisk is capable of deleting Windows Event Logs.(Citation: ESEST Black Energy ... |
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can delete Windows Event logs by invoking the `OpenEventLogW` and `ClearEventLogW` functions.(Citat... |
| S0688 | Meteor | Malware | [Meteor](https://attack.mitre.org/software/S0688) can use [Wevtutil](https://attack.mitre.org/software/S0645) to remove Security, System and Applicati... |
| S1135 | MultiLayer Wiper | Malware | [MultiLayer Wiper](https://attack.mitre.org/software/S1135) removes Windows event logs during execution.(Citation: Unit42 Agrius 2023) |
| S0032 | gh0st RAT | Malware | [gh0st RAT](https://attack.mitre.org/software/S0032) is able to wipe event logs.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019) |
| S0368 | NotPetya | Malware | [NotPetya](https://attack.mitre.org/software/S0368) uses <code>wevtutil</code> to clear the Windows event logs.(Citation: Talos Nyetya June 2017)(Cita... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can delete log files on targeted systems.(Citation: Joint Cybersecurity Advisory LockBit JUN 20... |
| S1178 | ShrinkLocker | Malware | [ShrinkLocker](https://attack.mitre.org/software/S1178) calls [Wevtutil](https://attack.mitre.org/software/S0645) to clear the Windows PowerShell and ... |
| S0698 | HermeticWizard | Malware | [HermeticWizard](https://attack.mitre.org/software/S0698) has the ability to use `wevtutil cl system` to clear event logs.(Citation: ESET Hermetic Wiz... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) has the ability to clear Windows Event Logs.(Citation: Halcyon Qilin.B OCT 2024)(Citation: Sophos Qil... |
| S0365 | Olympic Destroyer | Malware | [Olympic Destroyer](https://attack.mitre.org/software/S0365) will attempt to clear the System and Security event logs using <code>wevtutil</code>.(Cit... |
| S0203 | Hydraq | Malware | [Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can clear all system event logs.(Citation: Symante... |
| S0607 | KillDisk | Malware | [KillDisk](https://attack.mitre.org/software/S0607) deletes Application, Security, Setup, and System Windows Event Logs.(Citation: ESEST Black Energy ... |
| S1199 | LockBit 2.0 | Malware | [LockBit 2.0](https://attack.mitre.org/software/S1199) can delete log files through the use of wevtutil.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation:... |
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) can delete events from the Security, System, and Application logs.(Citation: Group-IB RansomHub F... |
| S0253 | RunningRAT | Malware | [RunningRAT](https://attack.mitre.org/software/S0253) contains code to clear event logs.(Citation: McAfee Gold Dragon) |
| S0645 | Wevtutil | Tool | [Wevtutil](https://attack.mitre.org/software/S0645) can be used to clear system and security event logs from the system.(Citation: Wevtutil Microsoft ... |
References
Frequently Asked Questions
What is T1685.005 (Clear Windows Event Logs)?
T1685.005 is a MITRE ATT&CK technique named 'Clear Windows Event Logs'. It belongs to the Defense Impairment tactic(s). Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of event...
How can T1685.005 be detected?
Detection of T1685.005 (Clear Windows Event Logs) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1685.005?
There are 3 documented mitigations for T1685.005. Key mitigations include: Remote Data Storage, Encrypt Sensitive Information, Restrict File and Directory Permissions.
Which threat groups use T1685.005?
Known threat groups using T1685.005 include: MirrorFace, APT41, Volt Typhoon, APT38, Play, FIN5, Chimera, Dragonfly.