Detectionhightest
Potentially Suspicious Call To Win32_NTEventlogFile Class
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Jul 13caf201a9-c2ce-4a26-9c3a-2b9525413711windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_class:
CommandLine|contains: 'Win32_NTEventlogFile'
selection_function:
CommandLine|contains:
- '.BackupEventlog('
- '.ChangeSecurityPermissions('
- '.ChangeSecurityPermissionsEx('
- '.ClearEventLog('
- '.Delete('
- '.DeleteEx('
- '.Rename('
- '.TakeOwnerShip('
- '.TakeOwnerShipEx('
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
caf201a9-c2ce-4a26-9c3a-2b9525413711
Status
test
Level
high
Type
Detection
Created
Thu Jul 13
Path
rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml
Raw Tags
attack.defense-evasion