Detectionmediumtest

EventLog EVTX File Deleted

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Feb 1563c779ba-f638-40a0-a593-ddd45e8b1ddcwindows

Log Source

WindowsFile Delete

ProductWindows← raw: windows

CategoryFile Delete← raw: file_delete

Detection Logic

detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
        TargetFilename|endswith: '.evtx'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1070 · Indicator Removal

Rule Metadata

Rule ID

63c779ba-f638-40a0-a593-ddd45e8b1ddc

Status

test

Level

medium

Type

Detection

Created

Wed Feb 15

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml

Raw Tags

attack.defense-evasionattack.t1070

View on GitHub