Detection rules › Sigma

Suspicious Eventlog Clearing or Configuration Change Activity

Status
stable
Severity
high
Author
Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

MITRE ATT&CK coverage

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Suspicious Eventlog Clearing or Configuration Change Activity
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
status: stable
description: |
    Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
    This technique were seen used by threat actors and ransomware strains in order to evade defenses.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
    - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
    - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
    - https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
    - https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-09-26
modified: 2026-06-01
tags:
    - attack.defense-impairment
    - attack.t1685.005
    - attack.t1685.001
    - car.2016-04-002
logsource:
    category: process_creation
    product: windows
detection:
    selection_wevtutil_img:
        - Image|endswith: '\wevtutil.exe'
        - OriginalFileName: 'wevtutil.exe'
    selection_wevtutil_cmd:
        CommandLine|contains:
            - 'clear-log '          # clears specified log
            - ' cl '                # short version of 'clear-log'
            - 'set-log '            # modifies config of specified log. could be used to set it to a tiny size
            - ' sl '                # short version of 'set-log'
            - 'lfn:'                # change log file location and name
    selection_other_ps_img:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
    selection_other_ps_cmd:
        - CommandLine|contains:
              - 'Clear-EventLog '
              - 'Remove-EventLog '
              - 'Limit-EventLog '
              - 'Clear-WinEvent '
        - CommandLine|contains|all:
              - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
              - 'ClearLog'
        - CommandLine|contains|all:
              - 'Diagnostics.EventLog'
              - 'Clear'
    selection_other_wmi:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\wmic.exe'
        CommandLine|contains: 'ClearEventLog'
    filter_main_msiexec:
        # Example seen during office update/installation:
        #   ParentImage: C:\Windows\SysWOW64\msiexec.exe
        #   CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
        ParentImage:
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\msiexec.exe'
        CommandLine|contains: ' sl '
    condition: ((all of selection_wevtutil_*) or (all of selection_other_ps_*) or selection_other_wmi) and not 1 of filter_main_*
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
    - Maintenance activity
level: high

Stages and Predicates

Stage 0: condition

((all of selection_wevtutil_*) or (all of selection_other_ps_*) or selection_other_wmi) and not 1 of filter_main_*

Stage 1: selection_wevtutil_img

selection_wevtutil_img:
    - Image|endswith: '\wevtutil.exe'
    - OriginalFileName: 'wevtutil.exe'

Stage 2: selection_wevtutil_cmd

selection_wevtutil_cmd:
    CommandLine|contains:
        - 'clear-log '          # clears specified log
        - ' cl '                # short version of 'clear-log'
        - 'set-log '            # modifies config of specified log. could be used to set it to a tiny size
        - ' sl '                # short version of 'set-log'
        - 'lfn:'                # change log file location and name

Stage 3: selection_other_ps_img

selection_other_ps_img:
    Image|endswith:
        - '\powershell.exe'
        - '\powershell_ise.exe'
        - '\pwsh.exe'

Stage 4: selection_other_ps_cmd

selection_other_ps_cmd:
    - CommandLine|contains:
          - 'Clear-EventLog '
          - 'Remove-EventLog '
          - 'Limit-EventLog '
          - 'Clear-WinEvent '
    - CommandLine|contains|all:
          - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
          - 'ClearLog'
    - CommandLine|contains|all:
          - 'Diagnostics.EventLog'
          - 'Clear'

Stage 5: selection_other_wmi

selection_other_wmi:
    Image|endswith:
        - '\powershell.exe'
        - '\powershell_ise.exe'
        - '\pwsh.exe'
        - '\wmic.exe'
    CommandLine|contains: 'ClearEventLog'

Stage 6: not filter_main_msiexec

filter_main_msiexec:
    # Example seen during office update/installation:
    #   ParentImage: C:\Windows\SysWOW64\msiexec.exe
    #   CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
    ParentImage:
        - 'C:\Windows\SysWOW64\msiexec.exe'
        - 'C:\Windows\System32\msiexec.exe'
    CommandLine|contains: ' sl '

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
6ParentImageeqC:\Windows\SysWOW64\msiexec.exe
6ParentImageeqC:\Windows\System32\msiexec.exe
6CommandLinematch sl

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • cl
  • sl
  • Clear corpus 4 (sigma 3, kusto 1)
  • Clear-EventLog
  • Clear-WinEvent
  • ClearEventLog corpus 2 (sigma 2)
  • ClearLog
  • Diagnostics.EventLog
  • Eventing.Reader.EventLogSession
  • Limit-EventLog
  • Remove-EventLog
  • clear-log
  • lfn:
  • set-log
Imageends_with
  • \powershell.exe corpus 186 (sigma 186)
  • \powershell_ise.exe corpus 42 (sigma 42)
  • \pwsh.exe corpus 172 (sigma 172)
  • \wevtutil.exe corpus 10 (sigma 10)
  • \wmic.exe corpus 61 (sigma 61)
OriginalFileNameeq
  • wevtutil.exe corpus 7 (sigma 5, elastic 1, splunk 1)