LoFP / rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate

Techniques

Sample rules

Suspicious Eventlog Clear

source: sigma
technicques:
- t1070
- t1070.001

Description

Detects usage of known powershell cmdlets such as “Clear-EventLog” to clear the Windows event logs

Detection logic

condition: selection
selection:
- ScriptBlockText|contains:
  - 'Clear-EventLog '
  - 'Remove-EventLog '
  - 'Limit-EventLog '
  - 'Clear-WinEvent '
- ScriptBlockText|contains|all:
  - Eventing.Reader.EventLogSession
  - ClearLog
- ScriptBlockText|contains:
  - Diagnostics.EventLog
  - Clear