Techniques
Sample rules
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
- source: sigma
- technicques:
Description
Detects usage of the WMI class “Win32_NTEventlogFile” in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Detection logic
condition: all of selection_*
selection_class:
ScriptBlockText|contains: Win32_NTEventlogFile
selection_function:
ScriptBlockText|contains:
- .BackupEventlog(
- .ChangeSecurityPermissions(
- .ChangeSecurityPermissionsEx(
- .ClearEventLog(
- .Delete(
- .DeleteEx(
- .Rename(
- .TakeOwnerShip(
- .TakeOwnerShipEx(