Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
A command line utility was used to clear the Windows Event Log.
It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis.
Attacker's Goals
Delete logs to cover tracks of the malicious activity, making it harder to perform analysis.
Investigative actions
Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Variations
Security Event Log was cleared using wevtutil.exeA Sensitive Windows Event Log was cleared using wevtutil.exe