attack.t1070.001

NotPetya Ransomware Activity

Nov 10, 2023 · attack.defense_evasion attack.t1218.011 attack.t1070.001 attack.credential_access attack.t1003.001 car.2016-04-002 detection.emerging_threats ·

Share on:

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Suspicious Eventlog Clear

Oct 17, 2023 · attack.defense_evasion attack.t1070.001 ·

Share on:

Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs

Suspicious Eventlog Clear or Configuration Change

Jul 13, 2023 · attack.defense_evasion attack.t1070.001 attack.t1562.002 car.2016-04-002 ·

Share on:

Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

Eventlog Cleared

May 17, 2023 · attack.defense_evasion attack.t1070.001 car.2016-04-002 ·

Share on:

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Important Windows Eventlog Cleared

May 17, 2023 · attack.defense_evasion attack.t1070.001 car.2016-04-002 ·

Share on:

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Suspicious Windows Trace ETW Session Tamper Via Logman.EXE

Feb 22, 2023 · attack.defense_evasion attack.t1562.001 attack.t1070.001 ·

Share on:

Detects the execution of "logman" utility in order to disable or delete Windows trace sessions

Security Eventlog Cleared

Feb 1, 2023 · attack.defense_evasion attack.t1070.001 car.2016-04-002 ·

Share on:

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution