> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/defense-evasion/indicator-removal/clear-windows-event-logs.md).

# Clear Windows Event Logs

**ATT\&CK ID:** [T1070.001](https://attack.mitre.org/techniques/T1070/001/)

**Permissions Required:**

**Description**

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.

\[[Source\]](https://attack.mitre.org/techniques/T1070/001/)

## **Techniques**

### Metasploit

This meterpreter command wipes logs from Application,System and Security logs.

```bash
# Meterpreter
clearev
```

![](/files/9A7kgEUuAV7SdR7INpDL)

### PowerShell

Performing this command leaves an event for the logs being cleared.

```powershell
#Clear Application,Security and System Logs
Clear-Eventlog -LogName Application,Security,System

# Utilize PowerShell with Wevtutil to clear all logs from the system
wevtutil el | Foreach-Object {wevtutil cl $_}
```

![](/files/x7B0DaueSgs9qPLnCNdB)

### **Wevtutil**

```
# Clear all logs on the system (cmd)
 for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

# Clear select logs
wevtutil cl system
wevtutil cl application
wevtutil cl security
```

![](/files/kkArRoMb6jzMD3XbogbL)

## **Mitigation**

* Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
* Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

## **Further Reading**

**Wevtutil:** <https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil>

**Clear-EventLog:** <https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/clear-eventlog?view=powershell-5.1>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/defense-evasion/indicator-removal/clear-windows-event-logs.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
