Suspicious Eventlog Clear or Configuration Change

Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

Sigma rule (View on GitHub)

 1title: Suspicious Eventlog Clear or Configuration Change
 2id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
 3status: stable
 4description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
 7    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
 8    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
 9    - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
10    - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
11author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
12date: 2019/09/26
13modified: 2023/07/13
14tags:
15    - attack.defense_evasion
16    - attack.t1070.001
17    - attack.t1562.002
18    - car.2016-04-002
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_wevtutil:
24        Image|endswith: '\wevtutil.exe'
25        CommandLine|contains:
26            - 'clear-log '          # clears specified log
27            - ' cl '                # short version of 'clear-log'
28            - 'set-log '            # modifies config of specified log. could be uset to set it to a tiny size
29            - ' sl '                # short version of 'set-log'
30            - 'lfn:'                # change log file location and name
31    selection_other_ps:
32        Image|endswith:
33            - '\powershell.exe'
34            - '\pwsh.exe'
35        CommandLine|contains:
36            - 'Clear-EventLog '
37            - 'Remove-EventLog '
38            - 'Limit-EventLog '
39            - 'Clear-WinEvent '
40    selection_other_wmi:
41        Image|endswith:
42            - '\powershell.exe'
43            - '\pwsh.exe'
44            - '\wmic.exe'
45        CommandLine|contains: 'ClearEventLog'
46    filter_msiexec:
47        # Example seen during office update/installation:
48        #   ParentImage: C:\Windows\SysWOW64\msiexec.exe
49        #   CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
50        ParentImage:
51            - 'C:\Windows\SysWOW64\msiexec.exe'
52            - 'C:\Windows\System32\msiexec.exe'
53        CommandLine|contains: ' sl '
54    condition: 1 of selection_* and not 1 of filter_*
55falsepositives:
56    - Admin activity
57    - Scripts and administrative tools used in the monitored environment
58    - Maintenance activity
59level: high

References

Related rules

to-top