car.2016-04-002 | Detection.FYI

Eventlog Cleared
May 17, 2023 · attack.defense_evasion attack.t1070.001 car.2016-04-002 ·
Share on:
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Read More
Important Windows Eventlog Cleared
May 17, 2023 · attack.defense_evasion attack.t1070.001 car.2016-04-002 ·
Share on:
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Read More
Disable of ETW Trace
Feb 21, 2023 · attack.defense_evasion attack.t1070 attack.t1562.006 car.2016-04-002 ·
Share on:
Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.

Read More
Disable of ETW Trace - Powershell
Feb 1, 2023 · attack.defense_evasion attack.t1070 attack.t1562.006 car.2016-04-002 ·
Share on:
Detects usage of powershell cmdlets to disable or remove ETW trace sessions

Read More
Security Eventlog Cleared
Feb 1, 2023 · attack.defense_evasion attack.t1070.001 car.2016-04-002 ·
Share on:
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Read More
Suspicious Eventlog Clear or Configuration Change
Jan 18, 2023 · attack.defense_evasion attack.t1070.001 attack.t1562.002 car.2016-04-002 ·
Share on:
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

Read More