Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighstable

Suspicious Eventlog Clearing or Configuration Change Activity

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Sep 26Updated Wed Mar 12cc36992a-4671-4f21-a91d-6c2b72a2edf5windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic6 selectors
detection:
    selection_wevtutil_img:
        - Image|endswith: '\wevtutil.exe'
        - OriginalFileName: 'wevtutil.exe'
    selection_wevtutil_cmd:
        CommandLine|contains:
            - 'clear-log '          # clears specified log
            - ' cl '                # short version of 'clear-log'
            - 'set-log '            # modifies config of specified log. could be uset to set it to a tiny size
            - ' sl '                # short version of 'set-log'
            - 'lfn:'                # change log file location and name
    selection_other_ps_img:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
    selection_other_ps_cmd:
        - CommandLine|contains:
              - 'Clear-EventLog '
              - 'Remove-EventLog '
              - 'Limit-EventLog '
              - 'Clear-WinEvent '
        - CommandLine|contains|all:
              - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
              - 'ClearLog'
        - CommandLine|contains|all:
              - 'Diagnostics.EventLog'
              - 'Clear'
    selection_other_wmi:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\wmic.exe'
        CommandLine|contains: 'ClearEventLog'
    filter_main_msiexec:
        # Example seen during office update/installation:
        #   ParentImage: C:\Windows\SysWOW64\msiexec.exe
        #   CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
        ParentImage:
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\msiexec.exe'
        CommandLine|contains: ' sl '
    condition: (all of selection_wevtutil_*) or (all of selection_other_ps_*) or (selection_other_wmi) and not 1 of filter_main_*
False Positives

Admin activity

Scripts and administrative tools used in the monitored environment

Maintenance activity

References
1
Resolving title…
github.com
2
Resolving title…
eqllib.readthedocs.io
3
Resolving title…
learn.microsoft.com
4
Resolving title…
gist.github.com
5
Resolving title…
jdhnet.wordpress.com
6
Resolving title…
linkedin.com
7
Resolving title…
stackoverflow.com
8
Resolving title…
learn.microsoft.com
9
Resolving title…
learn.microsoft.com
MITRE ATT&CK

CAR Analytics

2016-04-002 · CAR 2016-04-002
Rule Metadata
Rule ID
cc36992a-4671-4f21-a91d-6c2b72a2edf5
Status
stable
Level
high
Type
Detection
Created
Thu Sep 26
Modified
Wed Mar 12
Author
Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
Raw Tags
attack.defense-evasionattack.t1070.001attack.t1562.002car.2016-04-002
View on GitHub