It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a “Clear Event Log” is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.

ATT&CK Detection

Technique Tactic Level of Coverage
Indicator Blocking Defense Evasion Moderate

Pseudocode

When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For System logs, its event code 104. For Security logs, it is event code 1100 and 1102.

([log_name] == "System" and [event_code] in [1100, 1102]) or
([log_name] == "Security" and [event_code] == 104)

Unit Tests

Test Case 1:

  • Configurations: Windows 7
  • Requirements: Administrator account, Powershell
  • Description: You can use the powershell cmdlet “Clear-Eventlog” to clear event logs. Open Powershell as administrator and execute Clear-Eventlog Clear-EventLog [-LogName] \<String[]\>. Additional information here.
  • Commands:
    Clear-Eventlog Security
    Clear-Eventlog System