Suspicious Eventlog Clear
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
Sigma rule (View on GitHub)
1title: Suspicious Eventlog Clear
2id: 0f017df3-8f5a-414f-ad6b-24aff1128278
3related:
4 - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
5 type: derived
6status: test
7description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
8references:
9 - https://twitter.com/oroneequalsone/status/1568432028361830402
10 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
11 - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-09-12
14tags:
15 - attack.defense-evasion
16 - attack.t1070.001
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 selection:
23 ScriptBlockText|contains:
24 - 'Clear-EventLog '
25 - 'Remove-EventLog '
26 - 'Limit-EventLog '
27 - 'Clear-WinEvent '
28 condition: selection
29falsepositives:
30 - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate
31level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Related rules
- NotPetya Ransomware Activity
- Security Eventlog Cleared
- Suspicious Eventlog Clearing or Configuration Change Activity
- Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
- AD Object WriteDAC Access