Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Read More

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

Read More

Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"

Read More

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

Read More

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

Read More

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

Read More

Detect filter driver unloading activity via fltmc.exe

Read More

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Read More

Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence

Read More

Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.

Read More

Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.

Read More

Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".

Read More

Detects potential malicious and unauthorized usage of bcdedit.exe

Read More

Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence

Read More

Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit

Read More

Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities

Read More

Detects possible Sysmon filter driver unloaded via fltmc.exe

Read More

Detects the deletion of registry keys containing the MSTSC connection history

Read More

Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence

Read More

Detects the use of wevtutil to clear or otherwise manipulate Windows event logs.

Read More