diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md
index 370ec5ed..3871a50f 100644
--- a/atomics/T1070/T1070.md
+++ b/atomics/T1070/T1070.md
@@ -30,6 +30,10 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https://
- [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log)
+- [Atomic Test #6 - Delete System Logs Using PowerShell](#atomic-test-6---delete-system-logs-using-powershell)
+
+- [Atomic Test #7 - Delete System Logs Using Clear-EventLogId](#atomic-test-7---delete-system-logs-using-clear-eventlogid)
+
@@ -126,4 +130,42 @@ echo 0> #{log_path}
+
+
+
+## Atomic Test #6 - Delete System Logs Using PowerShell
+Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
+```
+$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
+Stop-Process -Id $eventLogId -Force
+Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
+```
+
+
+#### Cleanup Commands:
+```
+Start-Service -Name EventLog
+```
+
+
+
+
+## Atomic Test #7 - Delete System Logs Using Clear-EventLogId
+Clear event logs using built-in PowerShell commands
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
+```
+Clear-EventLog -logname Application
+```
+
+
+
diff --git a/atomics/index.md b/atomics/index.md
index 3d8fd219..5847f96d 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -272,6 +272,8 @@
- Atomic Test #3: rm -rf [macos, linux]
- Atomic Test #4: Overwrite Linux Mail Spool [linux]
- Atomic Test #5: Overwrite Linux Log [linux]
+ - Atomic Test #6: Delete System Logs Using PowerShell [windows]
+ - Atomic Test #7: Delete System Logs Using Clear-EventLogId [windows]
- [T1202 Indirect Command Execution](./T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index ef998e6b..829c5021 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -7970,7 +7970,38 @@ defense-evasion:
default: "/var/log/secure"
executor:
name: bash
- command: 'echo 0> #{log_path}'
+ command: 'echo 0> #{log_path}
+
+'
+ - name: Delete System Logs Using PowerShell
+ description: 'Recommended Detection: Monitor for use of the windows event log
+ filepath in PowerShell couple with delete arguments
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: true
+ command: |
+ $eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
+ Stop-Process -Id $eventLogId -Force
+ Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
+ cleanup_command: 'Start-Service -Name EventLog
+
+'
+ - name: Delete System Logs Using Clear-EventLogId
+ description: 'Clear event logs using built-in PowerShell commands
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: true
+ command: 'Clear-EventLog -logname Application
+
+'
T1202:
technique:
x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 3321a6c1..1e506f29 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -77,6 +77,8 @@
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
+ - Atomic Test #6: Delete System Logs Using PowerShell [windows]
+ - Atomic Test #7: Delete System Logs Using Clear-EventLogId [windows]
- [T1202 Indirect Command Execution](./T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]