Indicator Removal: Clear Windows Event Logs

Other sub-techniques of Indicator Removal (10)

ID	Name
ATAGS-T1099.001	Clear Command History
ATAGS-T1099.002	Clear Linux or Mac System Logs
ATAGS-T1099.003	Clear Mailbox Data
ATAGS-T1099.004	Clear Network Connection History and Configurations
ATAGS-T1099.005	Clear Persistence
ATAGS-T1099.006	Clear Windows Event Logs
ATAGS-T1099.007	File Deletion
ATAGS-T1099.008	Network Share Connection Removal
ATAGS-T1099.009	Relocate Malware
ATAGS-T1099.010	Timestomp

Threat Actors may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

ID: ATAGS-T1099.006

Sub-technique of: ATAGS-T1099

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.