Suspicious Eventlog Clearing or Configuration Change Activity

 1title: Suspicious Eventlog Clearing or Configuration Change Activity
 2id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
 3status: stable
 4description: |
 5    Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
 6    This technique were seen used by threat actors and ransomware strains in order to evade defenses.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
 9    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
10    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
11    - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
12    - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
13author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
14date: 2019/09/26
15modified: 2023/07/13
16tags:
17    - attack.defense_evasion
18    - attack.t1070.001
19    - attack.t1562.002
20    - car.2016-04-002
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_wevtutil:
26        Image|endswith: '\wevtutil.exe'
27        CommandLine|contains:
28            - 'clear-log '          # clears specified log
29            - ' cl '                # short version of 'clear-log'
30            - 'set-log '            # modifies config of specified log. could be uset to set it to a tiny size
31            - ' sl '                # short version of 'set-log'
32            - 'lfn:'                # change log file location and name
33    selection_other_ps:
34        Image|endswith:
35            - '\powershell.exe'
36            - '\pwsh.exe'
37        CommandLine|contains:
38            - 'Clear-EventLog '
39            - 'Remove-EventLog '
40            - 'Limit-EventLog '
41            - 'Clear-WinEvent '
42    selection_other_wmi:
43        Image|endswith:
44            - '\powershell.exe'
45            - '\pwsh.exe'
46            - '\wmic.exe'
47        CommandLine|contains: 'ClearEventLog'
48    filter_msiexec:
49        # Example seen during office update/installation:
50        #   ParentImage: C:\Windows\SysWOW64\msiexec.exe
51        #   CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
52        ParentImage:
53            - 'C:\Windows\SysWOW64\msiexec.exe'
54            - 'C:\Windows\System32\msiexec.exe'
55        CommandLine|contains: ' sl '
56    condition: 1 of selection_* and not 1 of filter_*
57falsepositives:
58    - Admin activity
59    - Scripts and administrative tools used in the monitored environment
60    - Maintenance activity
61level: high

References

• atomic-red-team/atomics/T1070.001/T1070.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Clearing Windows Event Logs with wevtutil — EQL Analytics Library documentation

  © Copyright 2019, Endgame Revision 30243396.

  
  Read More

• wevtutil

  

  Reference article for wevtutil, which lets you retrieve information about event logs and publishers.

  
  Read More

• Cleanup and Relocate EventLog files to other disk

  

  Cleanup and Relocate EventLog files to other disk. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

• Changing the location of the Windows Event logs

  

  By default the Windows Event logs are stored in C:\Windows\System32\winevt\LogsIf you want to change them to a different location you’ll create a new folder (e.g. D:\windowslog) and then execute th…

  
  Read More

Related rules

• Eventlog Cleared
• Important Windows Eventlog Cleared
• Security Eventlog Cleared
• NotPetya Ransomware Activity
• ETW Trace Evasion Activity