Detectionhightest

Security Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Tue Jan 10Updated Thu Feb 24d99b79d2-0a6f-4f46-ad8b-260b6e17f982windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection_517:
        EventID: 517
        Provider_Name: Security
    selection_1102:
        EventID: 1102
        Provider_Name: Microsoft-Windows-Eventlog
    condition: 1 of selection_*

False Positives

Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)

System provisioning (system reset before the golden image creation)

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1070.001 · Clear Windows Event Logs

CAR Analytics

2016-04-002 · CAR 2016-04-002

Related Rules

Similar

f2f01843-e7b8-4f95-a35a-d23584476423

Rule not found

Similar

a122ac13-daf8-4175-83a2-72c387be339d

Rule not found

Rule Metadata

Rule ID

d99b79d2-0a6f-4f46-ad8b-260b6e17f982

Status

test

Level

high

Type

Detection

Created

Tue Jan 10

Modified

Thu Feb 24

Author

Florian Roth (Nextron Systems)

Path

rules/windows/builtin/security/win_security_audit_log_cleared.yml

Raw Tags

attack.defense-evasionattack.t1070.001car.2016-04-002

View on GitHub