Suspicious Eventlog Clearing or Configuration Change Activity
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Sigma rule (View on GitHub)
1title: Suspicious Eventlog Clearing or Configuration Change Activity
2id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
3status: stable
4description: |
5 Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
6 This technique were seen used by threat actors and ransomware strains in order to evade defenses.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
9 - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
10 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
11 - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
12 - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
13author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
14date: 2019-09-26
15modified: 2023-07-13
16tags:
17 - attack.defense-evasion
18 - attack.t1070.001
19 - attack.t1562.002
20 - car.2016-04-002
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_wevtutil:
26 Image|endswith: '\wevtutil.exe'
27 CommandLine|contains:
28 - 'clear-log ' # clears specified log
29 - ' cl ' # short version of 'clear-log'
30 - 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size
31 - ' sl ' # short version of 'set-log'
32 - 'lfn:' # change log file location and name
33 selection_other_ps:
34 Image|endswith:
35 - '\powershell.exe'
36 - '\pwsh.exe'
37 CommandLine|contains:
38 - 'Clear-EventLog '
39 - 'Remove-EventLog '
40 - 'Limit-EventLog '
41 - 'Clear-WinEvent '
42 selection_other_wmi:
43 Image|endswith:
44 - '\powershell.exe'
45 - '\pwsh.exe'
46 - '\wmic.exe'
47 CommandLine|contains: 'ClearEventLog'
48 filter_msiexec:
49 # Example seen during office update/installation:
50 # ParentImage: C:\Windows\SysWOW64\msiexec.exe
51 # CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
52 ParentImage:
53 - 'C:\Windows\SysWOW64\msiexec.exe'
54 - 'C:\Windows\System32\msiexec.exe'
55 CommandLine|contains: ' sl '
56 condition: 1 of selection_* and not 1 of filter_*
57falsepositives:
58 - Admin activity
59 - Scripts and administrative tools used in the monitored environment
60 - Maintenance activity
61level: high
References
Related rules
- NotPetya Ransomware Activity
- Security Eventlog Cleared
- Audit Policy Tampering Via Auditpol
- Audit Policy Tampering Via NT Resource Kit Auditpol
- Change Winevt Channel Access Permission Via Registry