LoFP LoFP / maintenance activity

Techniques

Sample rules

Suspicious Eventlog Clearing or Configuration Change Activity

Description

Detects the clearing or configuration tampering of EventLog using utilities such as “wevtutil”, “powershell” and “wmic”. This technique were seen used by threat actors and ransomware strains in order to evade defenses.

Detection logic

condition: 1 of selection_* and not 1 of filter_*
filter_msiexec:
  CommandLine|contains: ' sl '
  ParentImage:
  - C:\Windows\SysWOW64\msiexec.exe
  - C:\Windows\System32\msiexec.exe
selection_other_ps:
  CommandLine|contains:
  - 'Clear-EventLog '
  - 'Remove-EventLog '
  - 'Limit-EventLog '
  - 'Clear-WinEvent '
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
selection_other_wmi:
  CommandLine|contains: ClearEventLog
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \wmic.exe
selection_wevtutil:
  CommandLine|contains:
  - 'clear-log '
  - ' cl '
  - 'set-log '
  - ' sl '
  - 'lfn:'
  Image|endswith: \wevtutil.exe