Suspicious Eventlog Clearing or Configuration Change Activity
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Sigma rule (View on GitHub)
1title: Suspicious Eventlog Clearing or Configuration Change Activity
2id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
3status: stable
4description: |
5 Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
6 This technique were seen used by threat actors and ransomware strains in order to evade defenses.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
9 - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
10 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
11 - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
12 - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
13 - https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
14 - https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
15 - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
16 - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
17author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
18date: 2019-09-26
19modified: 2025-03-12
20tags:
21 - attack.defense-evasion
22 - attack.t1070.001
23 - attack.t1562.002
24 - car.2016-04-002
25logsource:
26 category: process_creation
27 product: windows
28detection:
29 selection_wevtutil_img:
30 - Image|endswith: '\wevtutil.exe'
31 - OriginalFileName: 'wevtutil.exe'
32 selection_wevtutil_cmd:
33 CommandLine|contains:
34 - 'clear-log ' # clears specified log
35 - ' cl ' # short version of 'clear-log'
36 - 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size
37 - ' sl ' # short version of 'set-log'
38 - 'lfn:' # change log file location and name
39 selection_other_ps_img:
40 Image|endswith:
41 - '\powershell.exe'
42 - '\powershell_ise.exe'
43 - '\pwsh.exe'
44 selection_other_ps_cmd:
45 - CommandLine|contains:
46 - 'Clear-EventLog '
47 - 'Remove-EventLog '
48 - 'Limit-EventLog '
49 - 'Clear-WinEvent '
50 - CommandLine|contains|all:
51 - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
52 - 'ClearLog'
53 - CommandLine|contains|all:
54 - 'Diagnostics.EventLog'
55 - 'Clear'
56 selection_other_wmi:
57 Image|endswith:
58 - '\powershell.exe'
59 - '\powershell_ise.exe'
60 - '\pwsh.exe'
61 - '\wmic.exe'
62 CommandLine|contains: 'ClearEventLog'
63 filter_main_msiexec:
64 # Example seen during office update/installation:
65 # ParentImage: C:\Windows\SysWOW64\msiexec.exe
66 # CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
67 ParentImage:
68 - 'C:\Windows\SysWOW64\msiexec.exe'
69 - 'C:\Windows\System32\msiexec.exe'
70 CommandLine|contains: ' sl '
71 condition: (all of selection_wevtutil_*) or (all of selection_other_ps_*) or (selection_other_wmi) and not 1 of filter_main_*
72falsepositives:
73 - Admin activity
74 - Scripts and administrative tools used in the monitored environment
75 - Maintenance activity
76level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
-
Cleanup and Relocate EventLog files to other disk. GitHub Gist: instantly share code, notes, and snippets.
Read More -
By default the Windows Event logs are stored in C:\Windows\System32\winevt\LogsIf you want to change them to a different location you’ll create a new folder (e.g. D:\windowslog) and then execute th…
Read More -
When a sketchy incident hits your network, you want clear-cut answers about the scope, impact, and root cause 👾 Accurate telemetry data can make or break the outcome of an investigation—and threat actors know this. That’s why they often cover their tracks. Luckily, you can keep your telemetry data reliable and secure from attackers by moving it to a centralized location 👇 ➡️ This safeguards relevant telemetry from threat actor modification or clearing ➡️ It reduces the time it takes to recover from an incident ➡️ You and incident responders will get solid incident scoping See why EDR is a must to stay safe in 2025 👉 https://lnkd.in/eEDwqQMr Managed EDR gives you multi-layered protection—detecting, analyzing, and stopping threats—so you can focus on running your business.
Read More -
-
Related rules
- Eventlog Cleared
- Important Windows Eventlog Cleared
- NotPetya Ransomware Activity
- Security Eventlog Cleared
- Suspicious Eventlog Clear