Techniques
Sample rules
Suspicious Eventlog Clearing or Configuration Change Activity
- source: sigma
- technicques:
- t1070
- t1070.001
- t1562
- t1562.002
Description
Detects the clearing or configuration tampering of EventLog using utilities such as “wevtutil”, “powershell” and “wmic”. This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Detection logic
condition: 1 of selection_* and not 1 of filter_*
filter_msiexec:
CommandLine|contains: ' sl '
ParentImage:
- C:\Windows\SysWOW64\msiexec.exe
- C:\Windows\System32\msiexec.exe
selection_other_ps:
CommandLine|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
Image|endswith:
- \powershell.exe
- \pwsh.exe
selection_other_wmi:
CommandLine|contains: ClearEventLog
Image|endswith:
- \powershell.exe
- \pwsh.exe
- \wmic.exe
selection_wevtutil:
CommandLine|contains:
- 'clear-log '
- ' cl '
- 'set-log '
- ' sl '
- 'lfn:'
Image|endswith: \wevtutil.exe