Detect Event Log Deletions (Windows)

Test Guide


In the world of cybersecurity, event logs form the cornerstone of threat detection within SIEM (Security Information and Event Management) systems. But how effectively does your Security Operations Center (SOC) identify tampered event logs? This article explores SOC testing within your existing SIEM or during a POC (Proof of Concept).

Understanding Conventional Practices

The conventional practice of deleting event logs via the event viewer is widely understood. However, attackers often exploit less apparent methods, making it essential to explore how to assess your SOC’s readiness to catch unconventional deletion techniques, ensuring a more robust defense.

Not Just in Domain Controllers

Most of the attack stages will not be in the Domain Controllers (DC). They can be in any computer in the network. Actually, if you get an alert “Security Event Log Cleared in the Domain Controller” it’s too late – GAME OVER. The attacker has full control of your network.

To identify this activity, we must recognize it in any computer in the network and alert about it in the early stage of the attack. Here are a few different ways to clear the event logs, and It is a good idea to test your SOC reaction to them:

To clear the event logs using the Event Viewer GUI:

  1. Open Event Viewer on your local computer.
  2. Expand the Windows Logs category.
  3. Right-click the log that you want to clear and select Clear Log.
  4. Delete the Security Logs.
  5. Delete Any other Logs.
  6. Click Clear in the confirmation dialog box.

To clear the event logs using methods other than the Event Viewer GUI:

An average attacker will not use the GUI to delete their trail from the Event Viewer, and automation processes (like malware) will not use the GUI to delete traces from the Event Viewer.
The common way of clearing the event logs will be without the GUI.
Most of these methods need Local Admin privilege (How to get Local Admin rights and identify it in your SIEM will be published later on).
If you don’t have the necessary privileges, even an attempt to clear the event logs is a sign that you are at risk and need to investigate.

Command Line (CMD):

  1. Open a command prompt on your computer (Need Local Admin Privilege to do it without access denied).
  2. Type one of the following commands and press Enter:

wevtutil cl Application

wevtutil cl Microsoft-Windows-PowerShell/Operational


  1. Open Powershell on your computer (Need Local Admin Privilege to do it without access denied).
  2. Type one of the following commands and press Enter:

Clear-EventLog -LogName Application

Clear-EventLog -LogName “Windows PowerShell”

Delete EVXT files:

  1. Delete any of the files located under folder `C:\Windows\System32\winevt\Logs` on your computer.
  2. You can use Powershell command to delete those file:

Remove-Item -Path “C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx”

For some files, you will get a message like:
Remove-Item: The process cannot access the file ‘C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx’ because it is being used by another process.

Overcoming Limitations:
One way to overcome this is to stop the Windows Event Logs service. (This is also an event that needs to be alerted by the SIEM/SOC). 

Other ways:

There are other ways we didn’t cover here that an attacker can eliminate his traces (e.g., from the registry). We will cover additional methods in: 

Test Your SOC – Detect Event Log Deletions – Part II – Advanced

To receive  “Test your SOC” directly to your mail: Click Here.

To effectively detect suspicious activities, it is not only essential to possess numerous rules (CyRay provides more than 10 rules), but also imperative to gather all the requisite events from every computer.

If you are aware of alternative methods for log deletion, kindly inform us, and we will develop detection mechanisms for them.

Discovered Limitations in Your SIEM? Left Wanting More?

Schedule a call directly with our experts: Click Here.

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration