title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: experimental
description: Clear command history in network OS which is used for defense evasion
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
detection:
    keywords:
        - 'clear logging'
        - 'clear archive'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands
level: high
tags:
    - attack.defense_evasion
    - attack.t1146          # an old one
    - attack.t1070.003