|T1070.001||Clear Windows Event Logs|
|T1070.002||Clear Linux or Mac System Logs|
|T1070.003||Clear Command History|
|T1070.005||Network Share Connection Removal|
|T1070.007||Clear Network Connection History and Configurations|
|T1070.008||Clear Mailbox Data|
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
The event logs can be cleared with the following utility commands:
wevtutil cl system
wevtutil cl application
wevtutil cl security
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.
Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.
|M1041||Encrypt Sensitive Information||
Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|M1029||Remote Data Storage||
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
|M1022||Restrict File and Directory Permissions||
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for actions that would delete Windows event logs (via PowerShell)
Monitor for unexpected deletion of Windows event logs (via native binaries) and may also generate an alterable event (Event ID 1102: "The audit log was cleared")
|DS0009||Process||OS API Execution||
Monitor for Windows API calls that may clear Windows Event Logs to hide the activity of an intrusion.