maintenance activity

t1070
t1070.001
t1562
t1562.002
windows
sigma

Techniques

t1070
t1070.001
t1562
t1562.002

Sample rules

Suspicious Eventlog Clear or Configuration Change

source: sigma
technicques:
- t1070
- t1070.001
- t1562
- t1562.002

Description

Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

Detection logic

condition: 1 of selection_* and not 1 of filter_*
filter_msiexec:
  CommandLine|contains: ' sl '
  ParentImage:
  - C:\Windows\SysWOW64\msiexec.exe
  - C:\Windows\System32\msiexec.exe
selection_other_ps:
  CommandLine|contains:
  - 'Clear-EventLog '
  - 'Remove-EventLog '
  - 'Limit-EventLog '
  - 'Clear-WinEvent '
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
selection_other_wmi:
  CommandLine|contains: ClearEventLog
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \wmic.exe
selection_wevtutil:
  CommandLine|contains:
  - 'clear-log '
  - ' cl '
  - 'set-log '
  - ' sl '
  - 'lfn:'
  Image|endswith: \wevtutil.exe