EventLog EVTX File Deleted

Jan 1, 2024 · attack.defense_evasion attack.t1070 ·

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

Sigma rule (View on GitHub)

 1title: EventLog EVTX File Deleted
 2id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
 3status: test
 4description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/02/15
 9tags:
10    - attack.defense_evasion
11    - attack.t1070
12logsource:
13    category: file_delete
14    product: windows
15detection:
16    selection:
17        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
18        TargetFilename|endswith: '.evtx'
19    condition: selection
20falsepositives:
21    - Unknown
22level: medium

References

Internal Research

Read More

Related rules

IIS WebServer Access Logs Deleted
PowerShell Console History Logs Deleted
Tomcat WebServer Logs Deleted
Exchange PowerShell Cmdlet History Deleted
SES Identity Has Been Deleted