LoFP LoFP / maintenance activity

Techniques

Sample rules

Suspicious Eventlog Clearing or Configuration Change Activity

Description

Detects the clearing or configuration tampering of EventLog using utilities such as “wevtutil”, “powershell” and “wmic”. This technique were seen used by threat actors and ransomware strains in order to evade defenses.

Detection logic

condition: (all of selection_wevtutil_*) or (all of selection_other_ps_*) or (selection_other_wmi)
  and not 1 of filter_main_*
filter_main_msiexec:
  CommandLine|contains: ' sl '
  ParentImage:
  - C:\Windows\SysWOW64\msiexec.exe
  - C:\Windows\System32\msiexec.exe
selection_other_ps_cmd:
- CommandLine|contains:
  - 'Clear-EventLog '
  - 'Remove-EventLog '
  - 'Limit-EventLog '
  - 'Clear-WinEvent '
- CommandLine|contains|all:
  - Eventing.Reader.EventLogSession
  - ClearLog
- CommandLine|contains|all:
  - Diagnostics.EventLog
  - Clear
selection_other_ps_img:
  Image|endswith:
  - \powershell.exe
  - \powershell_ise.exe
  - \pwsh.exe
selection_other_wmi:
  CommandLine|contains: ClearEventLog
  Image|endswith:
  - \powershell.exe
  - \powershell_ise.exe
  - \pwsh.exe
  - \wmic.exe
selection_wevtutil_cmd:
  CommandLine|contains:
  - 'clear-log '
  - ' cl '
  - 'set-log '
  - ' sl '
  - 'lfn:'
selection_wevtutil_img:
- Image|endswith: \wevtutil.exe
- OriginalFileName: wevtutil.exe