Important Windows Eventlog Cleared
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
Sigma rule (View on GitHub)
1title: Important Windows Eventlog Cleared
2id: 100ef69e-3327-481c-8e5c-6d80d9507556
3related:
4 - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
5 type: derived
6status: test
7description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
8references:
9 - https://twitter.com/deviouspolack/status/832535435960209408
10 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
11author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
12date: 2022-05-17
13modified: 2023-11-15
14tags:
15 - attack.defense-evasion
16 - attack.t1070.001
17 - car.2016-04-002
18logsource:
19 product: windows
20 service: system
21detection:
22 selection:
23 EventID: 104
24 Provider_Name: 'Microsoft-Windows-Eventlog'
25 Channel:
26 - 'Microsoft-Windows-PowerShell/Operational'
27 - 'Microsoft-Windows-Sysmon/Operational'
28 - 'PowerShellCore/Operational'
29 - 'Security'
30 - 'System'
31 - 'Windows PowerShell'
32 condition: selection
33falsepositives:
34 - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
35 - System provisioning (system reset before the golden image creation)
36level: high
References
-
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More
Related rules
- Eventlog Cleared
- NotPetya Ransomware Activity
- Security Eventlog Cleared
- Suspicious Eventlog Clearing or Configuration Change Activity
- Disable of ETW Trace - Powershell