# Clear Windows Event Logs

**ATT\&CK ID:** [T1070.001](https://attack.mitre.org/techniques/T1070/001/)

**Permissions Required:**

**Description**

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.

\[[Source\]](https://attack.mitre.org/techniques/T1070/001/)

## **Techniques**

### Metasploit

This meterpreter command wipes logs from Application,System and Security logs.

```bash
# Meterpreter
clearev
```

![](/files/9A7kgEUuAV7SdR7INpDL)

### PowerShell

Performing this command leaves an event for the logs being cleared.

```powershell
#Clear Application,Security and System Logs
Clear-Eventlog -LogName Application,Security,System

# Utilize PowerShell with Wevtutil to clear all logs from the system
wevtutil el | Foreach-Object {wevtutil cl $_}
```

![](/files/x7B0DaueSgs9qPLnCNdB)

### **Wevtutil**

```
# Clear all logs on the system (cmd)
 for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

# Clear select logs
wevtutil cl system
wevtutil cl application
wevtutil cl security
```

![](/files/kkArRoMb6jzMD3XbogbL)

## **Mitigation**

* Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
* Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

## **Further Reading**

**Wevtutil:** <https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil>

**Clear-EventLog:** <https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/clear-eventlog?view=powershell-5.1>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/defense-evasion/indicator-removal/clear-windows-event-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.