AN1472: Analytic 1472
Detects behavioral sequence where an adversary gains elevated privileges and clears event logs using native binaries (e.g., wevtutil), PowerShell, or direct file deletion of .evtx files.
Analyst context for executives and security teams
This analytic describes a Windows behavior pattern where elevated privileges are followed by event log clearing using built-in tooling, PowerShell, or deletion of .evtx files. For leaders, the material issue is not only the log clearing itself; it is the potential loss of evidence needed for incident response, audit reconstruction, and understanding whether privileged access was abused.
Executive priority
Prioritize this as an evidence-preservation and privileged-activity monitoring concern. If Windows event logs can be cleared after privilege elevation without reliable alerting or off-host retention, the organization may lose the timeline needed to scope incidents, support compliance inquiries, and make timely containment decisions. Security leaders should ask whether critical Windows logs are forwarded before local deletion, whether privileged actions are monitored, and whether SOC playbooks treat log clearing as a high-priority investigation trigger.
Technical view
Validate coverage for Windows sequences that combine privilege elevation indicators with subsequent event log clearing activity. The supplied analytic specifically references native binaries such as wevtutil, PowerShell-based clearing, and direct deletion of .evtx files. Because no official detection logic is provided, detection engineering should build and test local correlation using process execution, command-line, PowerShell, file deletion, and Windows event log telemetry. IR teams should treat this sequence as possible anti-forensics and preserve off-host logs, endpoint artifacts, and privileged account context quickly.
Likely telemetry
- Windows process creation telemetry, including image name and command-line arguments
- PowerShell execution and script block or command logging where enabled
- Windows event log service and event log clearing records
- File deletion or modification telemetry for .evtx files
- Privileged account logon, elevation, and administrative activity records
Detection direction
- Correlate privilege elevation or privileged account use with subsequent use of wevtutil, PowerShell log-clearing commands, or .evtx deletion activity.
- Confirm that detections do not rely only on local Windows logs that an adversary may clear; validate off-host forwarding and ingestion timing.
- Tune for legitimate administrative maintenance, troubleshooting, or log rotation activity to reduce false positives while preserving high severity for unusual users, hosts, or timing.
- Alert on direct .evtx deletion separately from standard administrative log clearing because it may indicate a different evidence-destruction path.
- Because ATT&CK provides no official detection logic for this analytic, test candidate rules against known administrative baselines and incident-response requirements.
Mitigation priorities
- Ensure critical Windows event logs are forwarded to centralized storage before they can be cleared locally.
- Limit and monitor privileges required to clear event logs or delete protected log files.
- Harden PowerShell and administrative tool usage monitoring according to organizational policy.
- Define SOC escalation criteria for log clearing after privilege elevation, including rapid preservation of off-host evidence.
- Review administrative procedures so legitimate log maintenance is documented and distinguishable from suspicious activity.
Analyst notes and limits
This object is a detection analytic, not a technique entry. It has Windows as the only supplied platform and no supplied tactics or relationship context. The decision value is strongest for SOC readiness, incident response evidence preservation, privileged access monitoring, and compliance support.
The official detection field is not provided, and no relationships are supplied. This take therefore avoids claiming a specific ATT&CK tactic, exploitation pattern, actor usage, or guaranteed detection outcome. Local telemetry quality, logging configuration, and administrative baselines are required to operationalize the analytic.
Analytic 1472
Detects behavioral sequence where an adversary gains elevated privileges and clears event logs using native binaries (e.g., wevtutil), PowerShell, or direct file deletion of .evtx files.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e114a5ee56f5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1472Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.