attack.t1070.001

Eventlog Cleared
May 17, 2023 · attack.defense_evasion attack.t1070.001 car.2016-04-002 ·
Share on:
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Read More
Important Windows Eventlog Cleared
May 17, 2023 · attack.defense_evasion attack.t1070.001 car.2016-04-002 ·
Share on:
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Read More
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Feb 22, 2023 · attack.defense_evasion attack.t1562.001 attack.t1070.001 ·
Share on:
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions

Read More
Security Eventlog Cleared
Feb 1, 2023 · attack.defense_evasion attack.t1070.001 car.2016-04-002 ·
Share on:
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Read More
Suspicious Eventlog Clear
Feb 1, 2023 · attack.defense_evasion attack.t1070.001 ·
Share on:
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs

Read More
Suspicious Eventlog Clear or Configuration Change
Jan 18, 2023 · attack.defense_evasion attack.t1070.001 attack.t1562.002 car.2016-04-002 ·
Share on:
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

Read More
Security Event Log Cleared
Dec 27, 2022 · attack.t1070.001 ·
Share on:
Checks for event id 1102 which indicates the security event log was cleared.

Read More

Eventlog Cleared

Important Windows Eventlog Cleared

Suspicious Windows Trace ETW Session Tamper Via Logman.EXE

Security Eventlog Cleared

Suspicious Eventlog Clear

Suspicious Eventlog Clear or Configuration Change

Security Event Log Cleared