Techniques
Sample rules
Suspicious Eventlog Clear or Configuration Change
- source: sigma
- technicques:
- t1070
- t1070.001
- t1562
- t1562.002
Description
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
Detection logic
condition: 1 of selection_* and not 1 of filter_*
filter_msiexec:
CommandLine|contains: ' sl '
ParentImage:
- C:\Windows\SysWOW64\msiexec.exe
- C:\Windows\System32\msiexec.exe
selection_other_ps:
CommandLine|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
Image|endswith:
- \powershell.exe
- \pwsh.exe
selection_other_wmi:
CommandLine|contains: ClearEventLog
Image|endswith:
- \powershell.exe
- \pwsh.exe
- \wmic.exe
selection_wevtutil:
CommandLine|contains:
- 'clear-log '
- ' cl '
- 'set-log '
- ' sl '
- 'lfn:'
Image|endswith: \wevtutil.exe