attack.t1685.005 on Detection.FYI

attack.t1685.005 on Detection.FYI https://detection.fyi/tags/attack.t1685.005/ Recent content in attack.t1685.005 on Detection.FYI Hugo -- gohugo.io Tue, 28 Apr 2026 23:20:23 +0000 Eventlog Cleared https://detection.fyi/sigmahq/sigma/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared/ One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution Important Windows Eventlog Cleared https://detection.fyi/sigmahq/sigma/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared/ Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution NotPetya Ransomware Activity https://detection.fyi/sigmahq/sigma/emerging-threats/2017/malware/notpetya/proc_creation_win_malware_notpetya/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2017/malware/notpetya/proc_creation_win_malware_notpetya/ Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil Security Eventlog Cleared https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_audit_log_cleared/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_audit_log_cleared/ One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution Suspicious Eventlog Clear https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog/ Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs Suspicious Eventlog Clearing or Configuration Change Activity https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_eventlog_clear/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_eventlog_clear/ Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses. Suspicious Windows Trace ETW Session Tamper Via Logman.EXE https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_logman_disable_eventlog/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_logman_disable_eventlog/ Detects the execution of "logman" utility in order to disable or delete Windows trace sessions