Detection rules › Kusto Query Language
Clearing of forensic evidence from event logs using wevtutil
This query checks for attempts to clear at least 10 log entries from event logs using wevtutil. Clearing event logs can be a sign of ransomware activity, as ransomware often attempts to cover its tracks by deleting logs.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1070 Indicator Removal |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | 9001000 | Process activity (any) |
Stages and Predicates
Stage 1: source
DeviceProcessEvents
Stage 2: where
and
ProcessCommandLine match "CL"
ProcessCommandLine match "WEVTUTIL"
Stage 3: summarize
Stage 4: where
LogClearCount gt "10"
Stage 5: extend
Stage 6: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
LogClearCount | gt |
|
ProcessCommandLine | match |
|