MITRE ATT&CK Technique
Defense Evasion T1070.001
Description

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. With administrator privileges, the event logs can be cleared with the following utility commands: * <code>wevtutil cl system</code> * <code>wevtutil cl application</code> * <code>wevtutil cl security</code> These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging) Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.

Supported Platforms
Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-01-28T17:05:14.707Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may clear Windows Event Logs to hide the activity '
                'of an intrusion. Windows Event Logs are a record of a '
                "computer's alerts and notifications. There are three "
                'system-defined sources of events: System, Application, and '
                'Security, with five event types: Error, Warning, Information, '
                'Success Audit, and Failure Audit.\n'
                '\n'
                '\n'
                'With administrator privileges, the event logs can be cleared '
                'with the following utility commands:\n'
                '\n'
                '* <code>wevtutil cl system</code>\n'
                '* <code>wevtutil cl application</code>\n'
                '* <code>wevtutil cl security</code>\n'
                '\n'
                'These logs may also be cleared through other mechanisms, such '
                'as the event viewer GUI or '
                '[PowerShell](https://attack.mitre.org/techniques/T1059/001). '
                'For example, adversaries may use the PowerShell command '
                '<code>Remove-EventLog -LogName Security</code> to delete the '
                'Security EventLog and after reboot, disable future logging.  '
                'Note: events may still be generated and logged in the .evtx '
                'file between the time the command is run and the '
                'reboot.(Citation: disable_win_evt_logging)\n'
                '\n'
                'Adversaries may also attempt to clear logs by directly '
                'deleting the stored log files within '
                '`C:\\Windows\\System32\\winevt\\logs\\`.',
 'external_references': [{'external_id': 'T1070.001',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1070/001'},
                         {'description': 'Heiligenstein, L. (n.d.). REP-25: '
                                         'Disable Windows Event Logging. '
                                         'Retrieved April 7, 2022.',
                          'source_name': 'disable_win_evt_logging',
                          'url': 'https://ptylu.github.io/content/report/report.html?report=25'},
                         {'description': 'Microsoft. (n.d.). Clear-EventLog. '
                                         'Retrieved July 2, 2018.',
                          'source_name': 'Microsoft Clear-EventLog',
                          'url': 'https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog'},
                         {'description': 'Microsoft. (n.d.). EventLog.Clear '
                                         'Method (). Retrieved July 2, 2018.',
                          'source_name': 'Microsoft EventLog.Clear',
                          'url': 'https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx'},
                         {'description': 'Plett, C. et al.. (2017, October '
                                         '16). wevtutil. Retrieved July 2, '
                                         '2018.',
                          'source_name': 'Microsoft wevtutil Oct 2017',
                          'url': 'https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil'}],
 'id': 'attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:52.287Z',
 'name': 'Clear Windows Event Logs',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Lucas Heiligenstein'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.5'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (18)
threeam
Medium
donex
Low
Dragonfly
High
Aquatic Panda
High
Volt Typhoon
High
View All 18 Actors
Back to TTPs
Dashboard About