Techniques
Sample rules
Suspicious Eventlog Clearing or Configuration Change Activity
- source: sigma
- technicques:
- t1070
- t1070.001
- t1562
- t1562.002
Description
Detects the clearing or configuration tampering of EventLog using utilities such as “wevtutil”, “powershell” and “wmic”. This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Detection logic
condition: (all of selection_wevtutil_*) or (all of selection_other_ps_*) or (selection_other_wmi)
and not 1 of filter_main_*
filter_main_msiexec:
CommandLine|contains: ' sl '
ParentImage:
- C:\Windows\SysWOW64\msiexec.exe
- C:\Windows\System32\msiexec.exe
selection_other_ps_cmd:
- CommandLine|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
- CommandLine|contains|all:
- Eventing.Reader.EventLogSession
- ClearLog
- CommandLine|contains|all:
- Diagnostics.EventLog
- Clear
selection_other_ps_img:
Image|endswith:
- \powershell.exe
- \powershell_ise.exe
- \pwsh.exe
selection_other_wmi:
CommandLine|contains: ClearEventLog
Image|endswith:
- \powershell.exe
- \powershell_ise.exe
- \pwsh.exe
- \wmic.exe
selection_wevtutil_cmd:
CommandLine|contains:
- 'clear-log '
- ' cl '
- 'set-log '
- ' sl '
- 'lfn:'
selection_wevtutil_img:
- Image|endswith: \wevtutil.exe
- OriginalFileName: wevtutil.exe