LoFP
/
t1070.001
t1070.001
Title
Tags
admin activity
t1033
t1059
t1059.004
t1070
t1070.001
t1136
t1136.001
t1485
t1505
t1505.003
t1546
t1546.001
t1562
t1562.002
t1562.004
windows
linux
sigma
installer tools that disable services, e.g. before log collection agent installation
t1070
t1070.001
t1562
t1562.001
windows
sigma
it is possible that these logs may be legitimately cleared by administrators. filter as needed.
t1070
t1070.001
endpoint
splunk
it is possible the event logging service gets shut down due to system errors or legitimately administration tasks. filter as needed.
t1070
t1070.001
endpoint
splunk
legitimate deactivation by administrative staff
t1070
t1070.001
t1562
t1562.001
windows
sigma
maintenance activity
t1070
t1070.001
t1562
t1562.002
windows
sigma
network operator may disable audit event logs for debugging purposes.
t1070
t1070.001
endpoint
splunk
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
t1070
t1070.001
windows
sigma
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
t1070
t1070.001
windows
sigma
scripts and administrative tools used in the monitored environment
t1003
t1027
t1033
t1070
t1070.001
t1134
t1485
t1562
t1562.002
windows
sigma
system provisioning (system reset before the golden image creation)
t1070
t1070.001
windows
sigma
the wevtutil.exe application is a legitimate windows event log utility. administrators may use it to manage windows event logs.
t1070
t1070.001
endpoint
splunk