EventLog EVTX File Deleted
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
Sigma rule (View on GitHub)
1title: EventLog EVTX File Deleted
2id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
3status: test
4description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/02/15
9tags:
10 - attack.defense_evasion
11 - attack.t1070
12logsource:
13 category: file_delete
14 product: windows
15detection:
16 selection:
17 TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
18 TargetFilename|endswith: '.evtx'
19 condition: selection
20falsepositives:
21 - Unknown
22level: medium
References
Related rules
- IIS WebServer Access Logs Deleted
- PowerShell Console History Logs Deleted
- Tomcat WebServer Logs Deleted
- Exchange PowerShell Cmdlet History Deleted
- SES Identity Has Been Deleted