This note documents detection patterns related to Log Clearing within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 1102 | Audit log cleared | Critical | Highest-value native indicator that Security log was cleared. |
| System | 104 | Log file cleared | Critical | Detects clearing of System / Application logs. |
| Security | 4688 | Process creation | Critical | Detects wevtutil, PowerShell, or custom clearing tools. |
| Sysmon | 1 | Process creation | Critical | Best execution source for log clearing commands and lineage. |
| PowerShell | 4104 | Script block logging | Critical | Captures Clear-EventLog, Remove-EventLog, or wevtutil wrappers. |
| Sysmon | 11 | File create | Medium | Temporary export files before deletion. |
| Sysmon | 23 | File delete | High | Log file deletion attempts or temp cleanup. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
wevtutil cl usage | Clear specific log channel | Critical | Common attacker method. |
| Security log cleared after attack chain | Cover-up timing | Critical | Strong intent signal. |
| PowerShell clears logs | Scripted anti-forensics | Critical | Common in automation. |
| Multiple logs cleared rapidly | Broad anti-forensics | Critical | Aggressive cleanup pattern. |
| Event gap appears | Missing timeline continuity | High | Strong forensic clue. |
| Log export before clear | Selective removal workflow | High | Indicates operator discipline. |
Common Tools
| Tool | Usage |
|---|---|
| wevtutil.exe | Native log clearing |
| PowerShell | Clear-EventLog / Remove-EventLog |
| cmd.exe | Wrapper for wevtutil |
| custom scripts | Bulk channel clearing |
| eventvwr.msc | Manual GUI clearing |
Relevant Artifacts
- Security Event ID 1102
- System Event ID 104
- Security Event ID 4688
- Sysmon Event IDs 1, 11, 23
- PowerShell 4104
- Prefetch:
WEVTUTIL.EXE,POWERSHELL.EXE - Amcache / ShimCache
- EDR command lineage
- Surviving forwarded logs
- SIEM retention copy
MITRE ATT&CK References
- T1070.001 Clear Windows Event Logs
- T1070 Indicator Removal on Host
Decision Tree
-
Which log cleared?
- Security
- System
- Application
- Custom channel
-
Which process executed clear?
- wevtutil
- PowerShell
- GUI
-
Timing suspicious?
- After execution
- After credential theft
- Before disconnect
-
Surviving telemetry?
- Sysmon
- EDR
- Forwarded logs
-
Expand:
- Adjacent anti-forensics
- File deletion
- Registry cleanup
-
Scope:
- Single host
- Multi-host cleanup
- Automated script
Example Detection Templates
KQL
SecurityEvent
| where EventID == 1102
| project TimeGenerated, Computer, Account
Sysmon
| where EventID == 1
| where CommandLine has_any ("wevtutil cl","Clear-EventLog","Remove-EventLog")
| project TimeGenerated, Computer, User, CommandLine
EQL
process where process.command_line like "*wevtutil cl*" or process.command_line like "*Clear-EventLog*"
sequence by host.name with maxspan=5m
[ process where process.name in ("wevtutil.exe","powershell.exe") ]
[ any where event.code in ("1102","104") ]
Sigma
title: Windows Log Clearing Detection
id: 8a2c5f10-log-clearing
status: experimental
description: Detects Windows event log clearing activity
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
detection:
selection:
EventID:
- 1102
- 104
condition: selection
fields:
- EventID
- Account
falsepositives:
- Administrative maintenance
level: high
tags:
- attack.defense_evasion
- attack.t1070.001
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Forward logs centrally | Preserve remote copy | Critical | Defeats local clear |
| Alert on 1102 / 104 | Immediate detection | Critical | High-confidence signal |
| Restrict wevtutil use | Limit admin access | High | Reduce abuse |
| PowerShell logging | Capture scripted clears | High | Strong visibility |
| Timeline gap review | Hunt abrupt silence | High | Strong forensic clue |