DET0532 Detection of Event Log Clearing on Windows via Behavioral Chain

Item	Value
ID	DET0532
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1070.001 (Clear Windows Event Logs)

Analytics

Windows

AN1472

Detects behavioral sequence where an adversary gains elevated privileges and clears event logs using native binaries (e.g., wevtutil), PowerShell, or direct file deletion of .evtx files.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	WinEventLog:Security	EventCode=1102
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Deletion (DC0040)	WinEventLog:Sysmon	EventCode=23

Mutable Elements

Field	Description
TimeWindow	Time range between log-clearing command and 1102 event; tunable to reduce false positives
UserContext	Filter by admin/elevated users; allow tuning to detect abuse of high-privilege accounts
CommandLinePattern	Match common variations of log-clearing commands like `Remove-EventLog`, `wevtutil cl`
TargetLogName	Scope detection to Security, System, Application, or custom logs based on environment