Defense evasion | InfoSec Notes
Windows event logs track the activity and a number of operations conducted on the system.
The following notable hives, located in %systemroot%\System32\winevt\Logs, may be of interest for forensics analysis (and should thus be deleted in priority to hide adversary activity):
Security.evtx: users logon / logoff, local accounts and groups operations, process creation with command line if activated, etc.System.evtx: Windows service creation operations (creation, execution, deletion, etc.)Windows PowerShell.evtx and Microsoft-Windows-PowerShell%4Operational.evtx: PowerShell activity, with a varying level of information depending on the system configuration (activation of non default Module Logging, Script block logging, etc.)Microsoft-Windows-TaskScheduler%4Operational.evtx: scheduled tasks operations (registration, execution, deletion, etc.).Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx, Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational, and Microsoft-WindowsRemoteDesktopServicesRdpCoreTS%4Operational.evtx: RDP activity such as access to the Windows login screen and remote interactive logon through.Microsoft-Windows-WinRM%4OperationalMicrosoft-Windows-Shell-Core%4Operational.evtx: programs executed through the Run / RunOnce ASEPs registry keys.Microsoft-Windows-AppLocker%4EXE and DLL.evtx and Microsoft-Windows-AppLocker%4MSI and Script (and others Microsoft-Windows-AppLocker%4*.evtx): execution of binaries and scripts if AppLocker is activated in Audit only mode (non default).Note that upon clearing of some EVTX hives (such as the Security and System hives), specific events will be generated to keep trace of the logs clearing. Refer to the [DFIR] Windows - EVTX integrity note for more information on the Windows events generated by events deletion.
# Clears the specified hive using the wevtutil built-in utility.
wevtutil cl <security | system | HIVE_NAME>
# Clears the specified hive using the Clear-EventLog PowerShell cmdlet.
Clear-EventLog -LogName <Security | System | HIVE_NAME>
# Clears all the logs of the registered ETW provider.
$AllLogs = Get-EventLog -List | ForEach-Object {$_.Log}
$AllLogs | ForEach-Object {Clear-EventLog -LogName $_ }