Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
Checks for event id 1102 which indicates the security event log was cleared.