LoFP / rollout of log collection agents (the setup routine often includes a reset of the local eventlog)

Techniques

Sample rules

Security Eventlog Cleared

source: sigma
technicques:
- t1070
- t1070.001

Description

One of the Windows Eventlogs has been cleared. e.g. caused by “wevtutil cl” command execution

Detection logic

condition: 1 of selection_*
selection_1102:
  EventID: 1102
  Provider_Name: Microsoft-Windows-Eventlog
selection_517:
  EventID: 517
  Provider_Name: Security

Important Windows Eventlog Cleared

source: sigma
technicques:
- t1070
- t1070.001

Description

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by “wevtutil cl” command execution

Detection logic

condition: selection
selection:
  Channel:
  - Microsoft-Windows-PowerShell/Operational
  - Microsoft-Windows-Sysmon/Operational
  - PowerShellCore/Operational
  - Security
  - System
  - Windows PowerShell
  EventID: 104
  Provider_Name: Microsoft-Windows-Eventlog

Eventlog Cleared

source: sigma
technicques:
- t1070
- t1070.001

Description

One of the Windows Eventlogs has been cleared. e.g. caused by “wevtutil cl” command execution

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_covered:
  Channel:
  - Microsoft-Windows-PowerShell/Operational
  - Microsoft-Windows-Sysmon/Operational
  - PowerShellCore/Operational
  - Security
  - System
  - Windows PowerShell
selection:
  EventID: 104
  Provider_Name: Microsoft-Windows-Eventlog