Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
detection:
selection:
EventID: 104
Provider_Name: 'Microsoft-Windows-Eventlog'
filter_main_covered:
# The channels below are already covered by the rule 100ef69e-3327-481c-8e5c-6d80d9507556
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'Microsoft-Windows-Sysmon/Operational'
- 'PowerShellCore/Operational'
- 'Security'
- 'System'
- 'Windows PowerShell'
condition: selection and not 1 of filter_main_*Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
System provisioning (system reset before the golden image creation)
Tactics
Sub-techniques
CAR Analytics
f2f01843-e7b8-4f95-a35a-d23584476423
Security Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
This rule was derived from the related rule - both detect similar activity with different scope.
Important Windows Eventlog Cleared
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
This rule was derived from the related rule - both detect similar activity with different scope.