Suspicious Eventlog Clearing or Configuration Change Activity

Severity: high
Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1070.001` Indicator Removal: Clear Windows Event Logs, `T1562.002` Impair Defenses: Disable Windows Event Logging

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_wevtutil_img`

or:
Image|endswith: '\wevtutil.exe'
OriginalFileName: wevtutil.exe

Stage 2: `all of selection_wevtutil_cmd`

or:
CommandLine|contains: ' cl '
CommandLine|contains: ' sl '
CommandLine|contains: 'clear-log '
CommandLine|contains: 'lfn:'
CommandLine|contains: 'set-log '

Stage 3: `all of selection_other_ps_img`

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'

Stage 4: `all of selection_other_ps_cmd`

or:
CommandLine|contains: Clear
CommandLine|contains: Diagnostics.EventLog
CommandLine|contains: ClearLog
CommandLine|contains: Eventing.Reader.EventLogSession
CommandLine|contains: 'Clear-EventLog '
CommandLine|contains: 'Clear-WinEvent '
CommandLine|contains: 'Limit-EventLog '
CommandLine|contains: 'Remove-EventLog '

Stage 5: `selection_other_wmi`

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\wmic.exe'
CommandLine|contains: ClearEventLog

Stage 6: `not 1 of filter_main_msiexec`

ParentImage: ['C:\Windows\SysWOW64\msiexec.exe', 'C:\Windows\System32\msiexec.exe']
CommandLine|contains: ' sl '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`cl` `sl` `Clear` `Clear-EventLog` `Clear-WinEvent` `ClearEventLog` `ClearLog` `Diagnostics.EventLog` `Eventing.Reader.EventLogSession` `Limit-EventLog` `Remove-EventLog` `clear-log` `lfn:` `set-log`
`Image`	ends_with	`\powershell.exe` corpus 143 (sigma 143) `\powershell_ise.exe` corpus 27 (sigma 27) `\pwsh.exe` corpus 140 (sigma 140) `\wevtutil.exe` corpus 6 (sigma 6) `\wmic.exe` corpus 37 (sigma 37)
`OriginalFileName`	eq	`wevtutil.exe` corpus 4 (sigma 4)
`ParentImage`	eq	`C:\Windows\SysWOW64\msiexec.exe` corpus 2 (sigma 2) `C:\Windows\System32\msiexec.exe` corpus 3 (sigma 3)

Suspicious Eventlog Clearing or Configuration Change Activity

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_wevtutil_img

Stage 2: all of selection_wevtutil_cmd

Stage 3: all of selection_other_ps_img

Stage 4: all of selection_other_ps_cmd

Stage 5: selection_other_wmi