car.2016-04-002

Suspicious Eventlog Clearing or Configuration Change Activity

Apr 16, 2025 · attack.defense-evasion attack.t1070.001 attack.t1562.002 car.2016-04-002 ·

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

Eventlog Cleared

Oct 1, 2024 · attack.defense-evasion attack.t1070.001 car.2016-04-002 ·

Share on:

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Important Windows Eventlog Cleared

Oct 1, 2024 · attack.defense-evasion attack.t1070.001 car.2016-04-002 ·

Share on:

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Disable of ETW Trace - Powershell

Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1562.006 car.2016-04-002 ·

Share on:

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

ETW Trace Evasion Activity

Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1562.006 car.2016-04-002 ·

Share on:

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

NotPetya Ransomware Activity

Aug 12, 2024 · attack.defense-evasion attack.t1218.011 attack.t1070.001 attack.credential-access attack.t1003.001 car.2016-04-002 detection.emerging-threats ·

Share on:

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Security Eventlog Cleared

Aug 12, 2024 · attack.defense-evasion attack.t1070.001 car.2016-04-002 ·

Share on:

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution