Security Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Sigma rule (View on GitHub)
1title: Security Eventlog Cleared
2id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
3related:
4 - id: f2f01843-e7b8-4f95-a35a-d23584476423
5 type: obsolete
6 - id: a122ac13-daf8-4175-83a2-72c387be339d
7 type: obsolete
8status: test
9description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
10references:
11 - https://twitter.com/deviouspolack/status/832535435960209408
12 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
13 - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
14author: Florian Roth (Nextron Systems)
15date: 2017-01-10
16modified: 2022-02-24
17tags:
18 - attack.defense-evasion
19 - attack.t1070.001
20 - car.2016-04-002
21logsource:
22 product: windows
23 service: security
24detection:
25 selection_517:
26 EventID: 517
27 Provider_Name: Security
28 selection_1102:
29 EventID: 1102
30 Provider_Name: Microsoft-Windows-Eventlog
31 condition: 1 of selection_*
32falsepositives:
33 - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
34 - System provisioning (system reset before the golden image creation)
35level: high
References
-
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More -
Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel
Read More
Related rules
- NotPetya Ransomware Activity
- Suspicious Eventlog Clearing or Configuration Change Activity
- Disable of ETW Trace - Powershell
- ETW Trace Evasion Activity
- Suspicious Eventlog Clear