Techniques
Sample rules
Security Eventlog Cleared
- source: sigma
- technicques:
- t1070
- t1070.001
Description
One of the Windows Eventlogs has been cleared. e.g. caused by “wevtutil cl” command execution
Detection logic
condition: 1 of selection_*
selection_1102:
EventID: 1102
Provider_Name: Microsoft-Windows-Eventlog
selection_517:
EventID: 517
Provider_Name: Security
Important Windows Eventlog Cleared
- source: sigma
- technicques:
- t1070
- t1070.001
Description
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by “wevtutil cl” command execution
Detection logic
condition: selection
selection:
Channel:
- Microsoft-Windows-PowerShell/Operational
- Microsoft-Windows-Sysmon/Operational
- PowerShellCore/Operational
- Security
- System
- Windows PowerShell
EventID: 104
Provider_Name: Microsoft-Windows-Eventlog
Eventlog Cleared
- source: sigma
- technicques:
- t1070
- t1070.001
Description
One of the Windows Eventlogs has been cleared. e.g. caused by “wevtutil cl” command execution
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_covered:
Channel:
- Microsoft-Windows-PowerShell/Operational
- Microsoft-Windows-Sysmon/Operational
- PowerShellCore/Operational
- Security
- System
- Windows PowerShell
selection:
EventID: 104
Provider_Name: Microsoft-Windows-Eventlog