One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).